There is an error in CA certificate handling on import starting with 6.30 - the last version working OK being 6.29.1.
ROS 6.29.1 - correct:
CA_Cert_correct_6.29.1.jpg
ROS 6.30.2 - wrong:
CA_Cert_wrong_6.32.1.jpg
(BTW, it is the same certificate in both cases).
Now any certificate showing the “key cert. sign” and “crl sign” property is a CA certificate (especially if it has ONLY these usage properties).
This also happen if an self signed CA certificate is created in ROS and then exported to another unit. It will still show as a regular certificate instead of an CA.
The same happens if it is imported from a SCEP server, on SCEP signing, when ROS downloads and installs the root certificate (which will not show as a CA).
Talking about SCEP, there is also an issue on getting the full trust chain from the SCEP server: Instead of importing ALL CA certificates (meaning the root and the signing intermediate authority certificate, as offered by SCEPS getCA method), it will only import the root certificate, meaning the trust chain is incomplete and invalid. All CAs MUST be imported on SCEP signing, not only the first one.
FYI: CAs correctly imported by 6.29.1 or earlier will show correctly even after a ROS update, so to reproduce this, you need to delete and then re-import the CA again, which will fail to import. Checking just for the CA certificate is not enough.
I submitted a ticket on the web site, but there was no answer on that submission, so I can not tell you the number.