Bug 409720

Summary: CA update not workong
Product: [Applications] kleopatra Reporter: wannespam
Component: generalAssignee: Andre Heinecke <aheinecke>
Status: REPORTED ---    
Severity: normal CC: mutz, pim-bugs-null, tuju
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Debian stable   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description wannespam 2019-07-11 14:55:45 UTC 
SUMMARY
If you have a old outdated CA-Certificate and a newer one kleopatra validates against the old one and thinks the certificates signed by it aren't trustworthy.
This is especially annoying since you even can't remove the old CA since removing a CA will result in removing all certificates singed by it.
So please make an easy CA replacement possible.


STEPS TO REPRODUCE
1. Import a CA-certificate (A) with an near in the future laying enddate 
2. Import a longer valid certificate (B) that is signed by this CA.
3. Import a longer valid CA-certificate (C) for the same CA.
4. Wait until the first CA-certificate (A) runs out. 

OBSERVED RESULT
The certificate (B) is no longer trusted also there is a path to a existing, trusted CA (C).

EXPECTED RESULT
Kleopatra should validate against the still trusted CA.