Bug 1024445

Summary:	IPA admin cert is created with SHA1 signing algorithm, should be SHA256
Product:	Red Hat Enterprise Linux 7	Reporter:	Asha Akkiangady <aakkiang>
Component:	pki-core	Assignee:	Ade Lee <alee>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Asha Akkiangady <aakkiang>
Severity:	unspecified	Docs Contact:
Priority:	medium
Version:	7.0	CC:	alee, cfu, nkinder, nsoman, xdong
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	pki-core-10.0.5-2.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:
Clones:	1024461 1024462 (view as bug list)		Environment:
Last Closed:	2014-06-13 12:29:48 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1024461, 1024462

Description Asha Akkiangady 2013-10-29 16:34:52 UTC

Description of problem:
IPA admin cert is created with SHA1 signing algorithm, should be SHA256.

Version-Release number of selected component (if applicable):
pki-ca-10.0.5-1.el7.noarch

How reproducible:


Steps to Reproduce:
1. CS.cfg after the CA install has this:
  ca.signing.defaultSigningAlgorithm=SHA256withRSA

2. CA's debug log has this:
[28/Oct/2013:18:10:44][http-bio-8443-exec-3]: Creating local certificate... dn=cn=ipa-ca-agent,O=TESTRELM.COM
[28/Oct/2013:18:10:44][http-bio-8443-exec-3]: Cert Template: [
  Version: V3
  Subject: CN=ipa-ca-agent,O=TESTRELM.COM
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  algorithm = RSA, unparsed keybits =
30 82 01 0A 02 82 01 01 00 EC FF FE 3A D3 01 E9 66 68 81 1A
7E D6 7B E1 24 83 50 37 ED 87 AF EA C2 2C 49 B4 69 83 ED 90
AE 83 0D 02 B3 F7 9A 1C 9D 59 61 36 BA D0 AF 19 60 1D F2 22
57 87 1E 4F FC B3 CF 43 B9 C0 09 B8 4E AD 36 9A AB 18 46 8F
72 4B 7D 15 5F 55 22 B5 C5 EF 07 32 6F C2 4F 0B 1F EC DD 44
9A 5A 59 59 2C 27 D4 8A 26 FC 45 A4 14 1F F9 89 33 2C D4 ED
BB D1 AF 86 E1 CD F3 73 1A 58 E3 FF 30 DF B8 D2 98 58 20 C7
D0 56 97 93 51 15 23 6C BE A4 AA 48 4F A6 33 85 F4 4E 7B 19
E1 92 B1 F8 59 63 BA BC F5 91 D2 0F 71 14 3C F2 AA 0B 2E 25
18 A0 E5 42 84 B2 8C 4B 6C EF D8 13 02 A0 84 98 07 38 CA 21
B5 B3 65 58 0A D6 CE AC 2E 0D F5 6B 6D 15 14 51 61 17 AD 57
50 2D CA 0E 6F 73 5A E3 4D 0E E2 AA EB 25 4C 18 70 E3 08 45
C7 79 1B 6F 4D 64 1F E5 CB C6 1B 4C 8C 1D 2F BB 06 E9 DA 0D
15 89 84 30 07 02 03 01 00 01

  Validity: [From: Mon Oct 28 18:10:44 EDT 2013,
               To: Mon Oct 28 18:10:44 EDT 2013]
  Issuer: CN=Certificate Authority,O=TESTRELM.COM
  SerialNumber: [    06]

]


Actual results:
Admin/agent cert created with SHA1 algorithm

Expected results:
Admin/agent cert should be created with SHA256 signing algorithm.

Additional info:

Comment 2 Ade Lee 2013-11-01 19:10:10 UTC

Fixed in 10.0.6:

3cdb23de2802cf12a1d5981e8b94b1d1bc0f8e8a

Comment 4 Namita Soman 2014-01-27 14:33:02 UTC

Verified using ipa-server-3.3.3-13.el7.x86_64, pki-core-10.0.5-3.el7

Verified - Admin/agent cert is created with SHA256 signing algorithm.

# cat  /etc/pki/pki-tomcat/ca/CS.cfg | grep ca.signing.defaultSigningAlgorithm
ca.signing.defaultSigningAlgorithm=SHA256withRSA

# vim /var/log/pki/pki-tomcat/ca/debug
<..snip..>
[24/Jan/2014:12:46:50][http-bio-8443-exec-3]: Creating local certificate... issuerdn=cn=Certificate Authority,O=TESTRELM.COM
[24/Jan/2014:12:46:50][http-bio-8443-exec-3]: Creating local certificate... dn=cn=ipa-ca-agent,O=TESTRELM.COM
[24/Jan/2014:12:46:50][http-bio-8443-exec-3]: Cert Template: [
  Version: V3
  Subject: CN=ipa-ca-agent,O=TESTRELM.COM
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  algorithm = RSA, unparsed keybits =
30 82 01 0A 02 82 01 01 00 AC A6 CA 24 DF 4C 08 9D 37 03 2B
9A 5B FB F6 16 1C 71 A3 7A 47 9C D6 F4 79 27 2C B4 CA 2B D7
E8 FE 99 0E 21 AA 03 04 83 75 7F 07 59 88 1E 5C 12 DC 52 43
01 80 A7 8D 7E BA 2C FB BE 5F 90 45 59 E6 6D 7F BB 9B 45 1D
B4 B1 79 99 53 59 64 6A 23 77 56 C9 06 AA 73 FB 50 80 2D 1F
42 52 DA 22 52 34 65 DC 99 DE 1E D6 1A E5 FC E0 83 05 27 7F
DD 8A 5C E4 26 59 AC C8 6A 33 A2 7B 47 65 77 33 EB DA 40 6C
E1 92 B7 82 F8 02 E5 73 46 AB 44 26 0B EA 3B 2A FC F5 A1 AE
45 A5 B3 E6 63 23 F5 19 42 7A C9 4D 53 33 8E BC 47 F9 07 5B
4B 19 E2 53 B3 8E 45 7F 3E BA 24 2E E0 8D 94 C3 AD 3C E6 62
13 0C E9 15 93 D2 1B E5 11 F7 F1 41 10 A1 70 C4 C9 AA 3A 01
17 6B FE B7 F9 53 FC 93 D0 43 2B E7 16 41 EC EE 7F 3A 19 C7
38 A4 75 73 7C 4C 05 10 D5 71 7D D4 B3 03 B7 6E 4F DB E4 79
0B 28 57 59 31 02 03 01 00 01

  Validity: [From: Fri Jan 24 12:46:50 EST 2014,
               To: Fri Jan 24 12:46:50 EST 2014]
  Issuer: CN=Certificate Authority,O=TESTRELM.COM
  SerialNumber: [    06]

]
[24/Jan/2014:12:46:50][http-bio-8443-exec-3]: CertUtil: createLocalRequest for serial: 6
<..snip..>

Comment 5 Ludek Smid 2014-06-13 12:29:48 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.