When importing a certificate to the java keystore, it is later noticed that the certificate has been removed. Why?
In the audit logs, taken from the event, it shows that Centrify is somehow involved: type=PROCTITLE msg=audit(04/19/2019 12:29:44.622:42373) : proctitle=/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth /etc/pki/ca-trust/extracted/j
type=CWD msg=audit(04/19/2019 12:29:44.622:42373) : cwd=/usr/share/centrifydc/mappers/machine Cause:
The certificates are getting removed when the update-ca-trust command is run. Centrify follows RedHat convention in CA certificate store maintenance, by using update-ca-trust command from RedHat to maintain the CA certificate store. This is why it appears Centrify is removing the certificates.
When using the keytool command (this is a Java tool, not RedHat tool) to import a CA certificate, it adds the certificate to the target file directly, without RedHat's knowledge. Then when RedHat's CA certificate store tool update-ca-trust is run, and if the certificate is not in the /etc/pki/ca-trust/source/anchors directory, it is not recognized, and gets removed.Resolution:
To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:
· add it as a new file to directory /etc/pki/ca-trust/source/anchors/
· run update-ca-trust extract
If the certificate is still getting removed, the following file may be modified so that update-ca-trust command will not remove the certificate.
Navigate to the /bin directory and edit the update-ca-trust file with vi or preferred text editor.
change the following line:
*From*/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
*To*/usr/bin/p11-kit extract --format=java-cacerts --filter=certificates --overwrite --purpose server-auth $DEST/java/cacerts
Now try importing the certificate again. It should now give an error to the effect of "Certificate already exists in keystore" which indicates the certificate is still there. If the certificate was not present, there would be prompts to enter the keystore password and to trust the certificate.
A RedHat discussion on this topic can be found here:https://access.redhat.com/discussions/3018271