Bug 1308852

Summary: [RFE] Provide the user the ability to import their own CA certificate with private key
Product: Red Hat Enterprise Linux 7 Reporter: Marcel Kolaja <mkolaja>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: high Docs Contact:
Priority: high    
Version: 7.3CC: alee, arubin, bbonok, dpal, edewata, enewland, gkapoor, jkurik, jmagne, ksiddiqu, mharmsen, mniranja, nkinder, spoore
Target Milestone: rcKeywords: FutureFeature, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.2.5-8.el7_2 Doc Type: Enhancement
Doc Text:
The deployment procedure for external CA has been modified to generate the CA Certificate Signing Request (CSR) before starting the server. This allows the same procedure to be used for importing a CA certificate from an existing server. In addition, it is no longer required to keep the server running while waiting to get the CSR signed by an external CA. The "pki ca-cert-request-submit" command now provides options to specify the profile name and the CSR, which is then used to create and populate the request object. As a result, it is no longer necessary to download the request template and insert the CSR manually. A new "pki-server subsystem-cert-export" command exports a system certificate, the CSR, and the key. This command can be used to migrate a system certificate into another instance. The manual pages have been updated to reflect these changes. The installation code for installing an Identity Management (IdM) server with an external CA has been fixed so that IdM can detect whether step 1 of the installation process was completed properly. The code that handles certificate data conversion has been fixed to reformat base-64 data for Privacy Enhanced Mail (PEM) output correctly.
 Story Points: ---
Clone Of: 1289323 Environment:
Last Closed: 2016-05-12 09:57:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1289323, 1310195    
Bug Blocks:    
Attachments:
Description Flags
pki-core-Use-correct-textual-encoding-for-PKCS-7-objects.patch mharmsen: review+

Description Marcel Kolaja 2016-02-16 09:41:41 UTC 
This bug has been copied from bug #1289323 and has been proposed
to be backported to 7.2 z-stream (EUS).
Comment 3 Matthew Harmsen 2016-02-17 18:34:15 UTC 
Pushed to DOGTAG_10_2_5_RHEL_BRANCH:

commit afc2ffb30fb5446ff0e78bfc7a0ef05c8e7bcb67
Author: Endi S. Dewata <edewata>
Date:   Thu Nov 12 00:23:26 2015 +0100

    Added support for existing CA case.
    
    The deployment procedure for external CA has been modified
    such that it generates the CA CSR before starting the server.
    This allows the same procedure to be used to import CA
    certificate from an existing server. It also removes the
    requirement to keep the server running while waiting to get
    the CSR signed by an external CA.
    
    The pki ca-cert-request-submit command has been modified to
    provide options to specify the profile name and the CSR which
    will be used to create and populate the request object. This
    way it's no longer necessary to download the request template
    and insert the CSR manually.
    
    A new pki-server subsystem-cert-export command has been added
    to export a system certificate, the CSR, and the key. This
    command can be used to migrate a system certificate into another
    instance.
    
    The man page have been updated to reflect these changes.
    
    The installation code for external CA case has been fixed such
    that IPA can detect step 1 completion properly.
    
    The code that handles certificate data conversion has been fixed
    to reformat base-64 data for PEM output properly.
    
    The installation summary for step 1 has been updated to provide
    more accurate information.
    
    https://fedorahosted.org/pki/ticket/456
Comment 4 Matthew Harmsen 2016-02-19 17:18:03 UTC 
--- Endi Sukma Dewata 2016-02-17 22:45:15 EST ---

Verification steps:

---------
On host 1
---------

1. Create DS instance
2. Create CA deployment config (ca.cfg):

[CA]
pki_admin_email=caadmin
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret123
pki_admin_uid=caadmin
pki_backup_keys=True
pki_backup_password=Secret123
pki_client_database_password=Secret123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret123
pki_ds_base_dn=dc=ca,dc=example,dc=com
pki_ds_database=ca
pki_ds_password=Secret123
pki_security_domain_name=EXAMPLE
pki_token_password=Secret123

3. Install CA: pkispawn -f ca.cfg -s CA

4. Export CA signing cert, key, and CSR: pki-server subsystem-cert-export ca signing --csr-file ca_signing.csr --pkcs12-file ca.p12

5. Copy ca_signing.crt and ca_signing.csr to /tmp on host 2

6. Export NSS db password: grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2;}' > internal.txt

7. Note the key ID of the CA signing cert: certutil -K -d /var/lib/pki/pki-tomcat/alias/ -f internal.txt

< 0> rsa      06b218333b1d518847bc6e16f584e3b91b1186b6   caSigningCert cert-pki-tomcat CA

---------
On host 2
---------

7.5. Create DS instance on host 2

8. Create CA deployment config for step 1 (ca-step1.cfg):

[CA]
pki_admin_email=caadmin
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret123
pki_admin_uid=caadmin
pki_backup_keys=True
pki_backup_password=Secret123
pki_client_database_password=Secret123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret123
pki_ds_base_dn=dc=ca,dc=example,dc=com
pki_ds_database=ca
pki_ds_password=Secret123
pki_security_domain_name=EXAMPLE
pki_token_password=Secret123

pki_external=True
pki_external_step_two=False

9. Install CA step 1: pkispawn -f ca-step1.cfg -s CA

10. Create CA deployment config for step 2 (ca-step2.cfg):

[CA]
pki_admin_email=caadmin
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret123
pki_admin_uid=caadmin
pki_backup_keys=True
pki_backup_password=Secret123
pki_client_database_password=Secret123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret123
pki_ds_base_dn=dc=ca,dc=example,dc=com
pki_ds_database=ca
pki_ds_password=Secret123
pki_security_domain_name=EXAMPLE
pki_token_password=Secret123

pki_external=True
pki_external_step_two=True
pki_external_csr_path=/tmp/ca_signing.csr
pki_external_pkcs12_path=/tmp/ca.p12
pki_external_pkcs12_password=Secret123

11. Install CA step 2: pkispawn -f ca-step2.cfg -s CA

12. Export NSS db password: grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2;}' > internal.txt

13. Verify that the key ID of the CA signing cert matches the one in step #7: certutil -K -d /var/lib/pki/pki-tomcat/alias/ -f internal.txt

< 0> rsa      06b218333b1d518847bc6e16f584e3b91b1186b6   caSigningCert cert-pki-tomcat CA

Note that the key ID of the other certificates will not match.
Comment 17 Endi Sukma Dewata 2016-03-17 19:17:56 UTC 
Created attachment 1137484 [details]
pki-core-Use-correct-textual-encoding-for-PKCS-7-objects.patch
Comment 18 Matthew Harmsen 2016-03-17 23:20:31 UTC 
Comment on attachment 1137484 [details]
pki-core-Use-correct-textual-encoding-for-PKCS-7-objects.patch

Code looks good.

Applied patch and successfully installed CA which showed the appropriate changes.
Comment 20 Matthew Harmsen 2016-03-19 00:41:33 UTC 
Checked into 'DOGTAG_10_2_5_RHEL_BRANCH':

* cc65e92d87761bf28423718300e8ea53b30b63ba
Comment 21 Geetika Kapoor 2016-03-22 05:52:39 UTC 
Verified below mentioned scenario's::
-------------------------------------

Test case 1: ==> Works as mentioned in #comment4 
Try same scenario that is mentioned in test case 1 "dev" notes.

a. Create a RootCA.
b. RSA key id matches and works as expected.Also,Public cert pem format also matches for both keys.
localKeyID: 50 7E FA BE 61 C9 02 FB 02 28 48 76 E9 4C 2F A8 28 E0 E1 F7
localKeyID: 50 7E FA BE 61 C9 02 FB 02 28 48 76 E9 4C 2F A8 28 E0 E1 F7

localkeyID is equivalent to keyid in x509 format.

Test case 2: ==> Works as expected
Verified that after step1 CA server never starts.It always starts after step2 

Test Case 3: ==> Works as expected 
IPA server installation with external CA .(single certificate chain)

Test Case 4: ==> raised bug https://bugzilla.redhat.com/show_bug.cgi?id=1318903
IPA server installation with external CA (chain of CA certificate) 

Test case 5: ==> works as expected
External CA configuration in rhel7.2 and rhcs.
Comment 22 Asha Akkiangady 2016-03-22 12:31:30 UTC 
Marking it Verified as per comment #21.
Comment 24 errata-xmlrpc 2016-05-12 09:57:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1042.html