Bug 1249165
| Summary: | certmonger rekey command not usable | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Kaleem <ksiddiqu> |
| Component: | certmonger | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | --- | CC: | mkosek, myusuf, nalin, nsoman, pcech, pvoborni, rcritten |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | certmonger-0.79.7-14.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 02:51:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1087932 | ||
|
Description
Kaleem
2015-07-31 17:13:21 UTC
The "modify" call's logic doesn't accept requests to change the key type or size, which "getcert rekey" is asking it to do. Both should be fixed in upstream master before long. I saw following in RFE bug of rekey feature where bug is targeted for RHEL-7.3 release. https://bugzilla.redhat.com/show_bug.cgi?id=1087932#c8 Its means that any reference to rekey should not be there in the RHEL-7.2 certmonger build, right? It was deferred, but we hadn't patched out what was there when that decision was made. We could patch it out of 'getcert' and disconnect the API endpoint, and not backport the man page when it's finished. Please see Bug 1250397, we should simply hide/remove the feature in 7.2, not to cause a bad experience to RHEL users. I don't recall doing any work specifically on this command but it does seem to be working: # ipa-getcert request -f /etc/pki/tls/certs/test.pem -k /etc/pki/tls/private/test.key -K test/`hostname` # cp /etc/pki/tls/private/test.key /tmp # getcert rekey -i 20200217202832 -g 2048 # diff -q /etc/pki/tls/private/test.key /tmp/test.key Files /etc/pki/tls/private/test.key and /tmp/test.key differ A man page was added in upstream 3ef635ea49e896028a5a70baad03a45f6e9b39af in certmonger-0.79+ in 2015. Thank you taking your time and submitting this request for Red Hat Enterprise Linux 7. Unfortunately, this bug cannot be kept even as a stretch goal and was postponed to RHEL8. This works for me in my testing against IPA, at least as far as I can test it with IPA which has limited key type support. Create an IPA service: $ kinit admin $ ipa service-add test/`hostname` Get a cert for that service: # getcert request -f /etc/pki/tls/certs/test.pem -k /etc/pki/tls/private/test.key -K test/`hostname` -I test Note the modulus and size (2048) of the public key with: # openssl x509 -text -noout -in /etc/pki/tls/certs/test.pem Get a new cert with a new size: # getcert rekey -g 3072 -i test Note that the key size and modulus are different: # openssl x509 -text -noout -in /etc/pki/tls/certs/test.pem Key size is now 3072. Using -G will fail against IPA because only RSA keys are supported. You can look at the CSR that certmonger generated by pulling out the csr value in the request file in /var/lib/certmonger/requests/<id> and running that through: # openssl req -text -in /path/to/csr That should show that the CSR has the new key type. The supported key types are: RSA, DSA, EC and ECDSA The supported key sizes are: RSA and DSA: any size but if the keygen fails it will fall back to the default size, 2048. EC and ECDSA: if size <= 256 use curve prime256v1, between 257 and 384 use curve secp384r1 and > 384 use secp521r1. There is not currently a way to select the curve. Reproducer:
~~~~~~~~~~~
version:
certmonger-0.78.4-4.el7.x86_64
[root@master ~]# ipa-getcert request -f /etc/pki/tls/certs/test.pem -k /etc/pki/tls/private/test.key -K test/`hostname`
New signing request "20200805132708" added.
[root@master ~]# getcert rekey -i 20200805132708 -g 2048
rekey: unrecognized command
[root@master ~]#
[root@master ~]# getcert rekey -i 20200805132708 -G RSA -g 2048
rekey: unrecognized command
[root@master ~]# rpm -ql certmonger |grep rekey
Fix:
~~~~
version:
certmonger-0.79.7-15.el8.x86_64
[root@master ~]# ipa-getcert request -f /etc/pki/tls/certs/test.pem -k /etc/pki/tls/private/test.key -K test/`hostname`
New signing request "20200805101404" added.
[root@master ~]# cp /etc/pki/tls/private/test.key /tmp
[root@master ~]# getcert rekey -i 20200805101404 -g 2048
Resubmitting "20200805101404" to "IPA".
[root@master ~]# diff -q /etc/pki/tls/private/test.key /tmp/test.key
Files /etc/pki/tls/private/test.key and /tmp/test.key differ
[root@master ~]# openssl x509 -text -noout -in /etc/pki/tls/certs/test.pem
Certificate:
[..]
RSA Public-Key: (2048 bit)
Modulus:
00:ba:0b:92:6e:b4:da:11:ab:9f:0d:1e:68:83:54:
a3:82:d0:2e:f4:d6:52:ca:7f:aa:a2:c5:98:bf:44:
97:9f:99:95:4e:1c:cd:4a:53:b7:61:7f:14:2d:f7:
d1:c5:e4:cb:c6:d4:72:60:57:97:e8:0e:25:e9:ac:
7d:24:f3:55:0b:70:e0:c4:19:e1:e9:09:10:9e:45:
1f:79:5f:64:91:e8:ef:46:6b:a1:d2:aa:3a:b4:90:
70:05:25:20:aa:05:ed:af:68:3a:8b:17:e6:ad:35:
46:9f:d2:5f:58:47:e0:83:8b:4d:da:27:ae:bd:31:
74:ec:9b:5b:c5:eb:33:f0:34:9f:83:2d:90:be:1e:
ee:5f:8d:f2:f1:a2:9c:b9:2a:b8:b9:bf:3c:b1:a1:
af:1b:1d:80:c5:28:6c:2e:3e:53:60:97:45:66:fa:
54:70:70:d9:ef:35:9a:d6:5a:0d:45:c5:1d:7b:ac:
a3:1d:b9:90:8f:ec:64:dc:83:a7:8d:05:e8:17:af:
fe:43:ec:8c:dc:9d:3b:a6:a4:07:45:bb:51:85:1f:
01:ae:a6:31:fe:c2:61:55:16:16:e8:64:f1:eb:e9:
5c:e4:6d:60:76:34:93:68:aa:08:28:ec:5b:84:43:
a0:2e:f0:80:fc:6b:77:d5:21:18:56:c8:2d:66:13:
25:c7
[..]
[root@master ~]# getcert rekey -i 20200805101404 -g 3072
Resubmitting "20200805101404" to "IPA".
[root@master ~]# openssl x509 -text -noout -in /etc/pki/tls/certs/test.pem
Certificate:
[..]
RSA Public-Key: (3072 bit)
Modulus:
00:99:e6:18:2a:64:7e:19:84:c3:9f:cc:2e:46:76:
70:aa:35:f0:f4:9b:0d:76:ef:95:54:29:f0:35:cb:
e9:be:0c:70:8c:b3:cd:50:29:58:1b:4f:6a:55:07:
cb:3c:f4:bc:ce:6c:29:38:35:95:83:f1:2c:2c:83:
71:12:9b:ff:75:d6:1c:41:25:e5:b3:78:89:6f:d2:
d7:60:4c:7e:8f:a3:3d:8f:06:a2:56:79:cc:41:e5:
6f:36:1c:62:24:f8:ad:ae:e2:3c:af:38:b3:5e:dc:
7e:a3:8b:6f:58:e8:1f:98:37:2f:16:53:f8:fa:b8:
94:7b:f9:b5:49:ea:41:25:26:e7:01:d5:d3:fd:45:
6d:1c:f2:04:2f:1f:d7:60:5e:6d:21:e2:0a:ab:04:
5a:3d:4d:e4:b4:e8:c8:22:b8:7d:d6:0a:af:57:d0:
a7:89:f3:34:7a:43:a4:95:e2:d1:8d:f2:27:ad:40:
09:3b:84:7b:17:7f:33:89:d7:ce:29:93:f2:b2:46:
46:98:83:dd:ca:9a:16:e9:a7:17:14:49:3c:ad:0f:
08:2f:1a:08:33:ec:1f:dc:0d:06:db:1b:ea:b2:6f:
43:72:05:53:b6:05:1e:7e:50:13:71:15:fa:11:a4:
df:9d:53:82:4f:71:42:bb:51:2d:11:d5:e2:18:e4:
04:40:8e:e8:74:14:65:81:d6:e9:a2:35:e1:21:5d:
ac:85:ff:4e:f5:07:cc:90:3e:f7:75:22:44:a9:89:
e5:69:6b:02:49:a0:76:90:14:f6:e7:97:71:dc:89:
22:5d:5c:4d:89:e0:73:90:f1:de:ac:7a:5c:dd:a7:
b4:f1:60:55:a6:48:1b:87:d4:9e:9f:96:cf:83:23:
4f:4e:2c:e7:2c:b4:5a:34:55:3d:91:59:82:4a:dd:
e9:ba:2c:55:bf:55:f0:69:02:92:c1:fe:43:b3:dd:
cf:6d:e1:2d:e9:d3:63:e1:0d:ee:c4:87:4c:ce:b6:
2a:b0:8c:d8:5a:b3:05:00:62:c9
[..]
[root@master ~]# rpm -ql certmonger |grep rekey
/usr/share/man/man1/getcert-rekey.1.gz
[root@master ~]# man getcert-rekey
[..]
-G TYPE, --key-type=TYPE
In case a new key pair needs to be generated, this option specifies the type of the keys to be generated. If
not specified, the current key type will be used.
-g BITS, --key-size=BITS
This option specifies the size of the new key to be generated. If not specified, a key of the same size as
the existing key will be generated.
[..]
Based on above results marking the bug as verified.
version: 4.8.7-8.module+el8.3.0+7513+a375844a [..] 2020-08-18T08:48:04+0000 2020-08-18T08:48:04+0000 ------------------ generated xml file: /tmp/wp/twd/junit.xml ------------------- 2020-08-18T08:48:04+0000 ------------- generated html file: file:///tmp/wp/twd/report.html -------------- 2020-08-18T08:48:04+0000 ========================== 4 passed in 518.56 seconds ========================== 2020-08-18T08:48:04+0000 RETURN CODE: 0 2020-08-18T08:48:04+0000 REMOTE COMMAND STEP END [..] Automation passed. report.html attached for reference. Marking the bug as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (certmonger bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4671 |