Bug 1308852
Summary: | [RFE] Provide the user the ability to import their own CA certificate with private key | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Marcel Kolaja <mkolaja> | ||||
Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> | ||||
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 7.3 | CC: | alee, arubin, bbonok, dpal, edewata, enewland, gkapoor, jkurik, jmagne, ksiddiqu, mharmsen, mniranja, nkinder, spoore | ||||
Target Milestone: | rc | Keywords: | FutureFeature, ZStream | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | pki-core-10.2.5-8.el7_2 | Doc Type: | Enhancement | ||||
Doc Text: |
The deployment procedure for external CA has been modified to generate the CA Certificate Signing Request (CSR) before starting the server. This allows the same procedure to be used for importing a CA certificate from an existing server. In addition, it is no longer required to keep the server running while waiting to get the CSR signed by an external CA.
The "pki ca-cert-request-submit" command now provides options to specify the profile name and the CSR, which is then used to create and populate the request object. As a result, it is no longer necessary to download the request template and insert the CSR manually.
A new "pki-server subsystem-cert-export" command exports a system certificate, the CSR, and the key. This command can be used to migrate a system certificate into another instance.
The manual pages have been updated to reflect these changes.
The installation code for installing an Identity Management (IdM) server with an external CA has been fixed so that IdM can detect whether step 1 of the installation process was completed properly. The code that handles certificate data conversion has been fixed to reformat base-64 data for Privacy Enhanced Mail (PEM) output correctly.
|
Story Points: | --- | ||||
Clone Of: | 1289323 | Environment: | |||||
Last Closed: | 2016-05-12 09:57:07 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1289323, 1310195 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Marcel Kolaja
2016-02-16 09:41:41 UTC
Pushed to DOGTAG_10_2_5_RHEL_BRANCH: commit afc2ffb30fb5446ff0e78bfc7a0ef05c8e7bcb67 Author: Endi S. Dewata <edewata> Date: Thu Nov 12 00:23:26 2015 +0100 Added support for existing CA case. The deployment procedure for external CA has been modified such that it generates the CA CSR before starting the server. This allows the same procedure to be used to import CA certificate from an existing server. It also removes the requirement to keep the server running while waiting to get the CSR signed by an external CA. The pki ca-cert-request-submit command has been modified to provide options to specify the profile name and the CSR which will be used to create and populate the request object. This way it's no longer necessary to download the request template and insert the CSR manually. A new pki-server subsystem-cert-export command has been added to export a system certificate, the CSR, and the key. This command can be used to migrate a system certificate into another instance. The man page have been updated to reflect these changes. The installation code for external CA case has been fixed such that IPA can detect step 1 completion properly. The code that handles certificate data conversion has been fixed to reformat base-64 data for PEM output properly. The installation summary for step 1 has been updated to provide more accurate information. https://fedorahosted.org/pki/ticket/456 --- Endi Sukma Dewata 2016-02-17 22:45:15 EST --- Verification steps: --------- On host 1 --------- 1. Create DS instance 2. Create CA deployment config (ca.cfg): [CA] pki_admin_email=caadmin pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=Secret123 pki_admin_uid=caadmin pki_backup_keys=True pki_backup_password=Secret123 pki_client_database_password=Secret123 pki_client_database_purge=False pki_client_pkcs12_password=Secret123 pki_ds_base_dn=dc=ca,dc=example,dc=com pki_ds_database=ca pki_ds_password=Secret123 pki_security_domain_name=EXAMPLE pki_token_password=Secret123 3. Install CA: pkispawn -f ca.cfg -s CA 4. Export CA signing cert, key, and CSR: pki-server subsystem-cert-export ca signing --csr-file ca_signing.csr --pkcs12-file ca.p12 5. Copy ca_signing.crt and ca_signing.csr to /tmp on host 2 6. Export NSS db password: grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2;}' > internal.txt 7. Note the key ID of the CA signing cert: certutil -K -d /var/lib/pki/pki-tomcat/alias/ -f internal.txt < 0> rsa 06b218333b1d518847bc6e16f584e3b91b1186b6 caSigningCert cert-pki-tomcat CA --------- On host 2 --------- 7.5. Create DS instance on host 2 8. Create CA deployment config for step 1 (ca-step1.cfg): [CA] pki_admin_email=caadmin pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=Secret123 pki_admin_uid=caadmin pki_backup_keys=True pki_backup_password=Secret123 pki_client_database_password=Secret123 pki_client_database_purge=False pki_client_pkcs12_password=Secret123 pki_ds_base_dn=dc=ca,dc=example,dc=com pki_ds_database=ca pki_ds_password=Secret123 pki_security_domain_name=EXAMPLE pki_token_password=Secret123 pki_external=True pki_external_step_two=False 9. Install CA step 1: pkispawn -f ca-step1.cfg -s CA 10. Create CA deployment config for step 2 (ca-step2.cfg): [CA] pki_admin_email=caadmin pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=Secret123 pki_admin_uid=caadmin pki_backup_keys=True pki_backup_password=Secret123 pki_client_database_password=Secret123 pki_client_database_purge=False pki_client_pkcs12_password=Secret123 pki_ds_base_dn=dc=ca,dc=example,dc=com pki_ds_database=ca pki_ds_password=Secret123 pki_security_domain_name=EXAMPLE pki_token_password=Secret123 pki_external=True pki_external_step_two=True pki_external_csr_path=/tmp/ca_signing.csr pki_external_pkcs12_path=/tmp/ca.p12 pki_external_pkcs12_password=Secret123 11. Install CA step 2: pkispawn -f ca-step2.cfg -s CA 12. Export NSS db password: grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2;}' > internal.txt 13. Verify that the key ID of the CA signing cert matches the one in step #7: certutil -K -d /var/lib/pki/pki-tomcat/alias/ -f internal.txt < 0> rsa 06b218333b1d518847bc6e16f584e3b91b1186b6 caSigningCert cert-pki-tomcat CA Note that the key ID of the other certificates will not match. Created attachment 1137484 [details]
pki-core-Use-correct-textual-encoding-for-PKCS-7-objects.patch
Comment on attachment 1137484 [details]
pki-core-Use-correct-textual-encoding-for-PKCS-7-objects.patch
Code looks good.
Applied patch and successfully installed CA which showed the appropriate changes.
Checked into 'DOGTAG_10_2_5_RHEL_BRANCH': * cc65e92d87761bf28423718300e8ea53b30b63ba Verified below mentioned scenario's:: ------------------------------------- Test case 1: ==> Works as mentioned in #comment4 Try same scenario that is mentioned in test case 1 "dev" notes. a. Create a RootCA. b. RSA key id matches and works as expected.Also,Public cert pem format also matches for both keys. localKeyID: 50 7E FA BE 61 C9 02 FB 02 28 48 76 E9 4C 2F A8 28 E0 E1 F7 localKeyID: 50 7E FA BE 61 C9 02 FB 02 28 48 76 E9 4C 2F A8 28 E0 E1 F7 localkeyID is equivalent to keyid in x509 format. Test case 2: ==> Works as expected Verified that after step1 CA server never starts.It always starts after step2 Test Case 3: ==> Works as expected IPA server installation with external CA .(single certificate chain) Test Case 4: ==> raised bug https://bugzilla.redhat.com/show_bug.cgi?id=1318903 IPA server installation with external CA (chain of CA certificate) Test case 5: ==> works as expected External CA configuration in rhel7.2 and rhcs. Marking it Verified as per comment #21. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-1042.html |