Bug 1350983
| Summary: | Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> | ||||
| Component: | pki-core | Assignee: | Christina Fu <cfu> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.3 | CC: | cfu, gkapoor, nkinder | ||||
| Target Milestone: | rc | ||||||
| Target Release: | 7.3 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pki-core-10.3.3-3.el7 | Doc Type: | Bug Fix | ||||
| Doc Text: |
Cause:
the CAValidity constraint is not applied during installation. As a consequence, the subsystem certs created per .profile's could have notAfter beyond that of the CA signing cert imported during "external" or "existing" CA.
Consequence:
Fix:
This fix implements validity check on the notAfter value of the certInfo and adjusts it to that of the CA's notAfter if exceeding
Result:
subsystem certs can no longer exceed that of the CA signing cert's notAfter value, regardless of what the profiles dictates.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-11-04 05:25:35 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Matthew Harmsen
2016-06-28 23:20:39 UTC
pushed to master:
commit 659c90869a27871eda27fd730d00b0499873dae2
Author: Christina Fu <cfu>
Date: Tue Jun 28 18:00:03 2016 -0700
Ticket 2389 Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA
This patch implements validity check on the notAfter value of the certInfo
and adjusts it to that of the CA's notAfter if exceeding
--------
When testing, make the subsystem certs' expiration exceed that of the external or existing CA's signing cert notAfter value.
Basically this is to test the existing/external CA scenario, with modification to the "range" values of the subsystem certs' .profile's so that the notAfter would exceed that of the CA's value.
For example,
I changed my the following param in my serverCert.profile:
2.default.params.range=7400
under Validity Default
That effectively causes the notAfter of my server cert to exceed CA signing cert's notAfter
You need to make the changes between installation and configuration
*** Bug 1356311 has been marked as a duplicate of this bug. *** Hello, I tried to perform testing for above mentioned use case.So based on my understanding below mentioned is the use case. Expected Result: ---------------- In CA's profile, We have a profile named caSubsystemCert. We should be able to generate certs with it using user defined validity period. Setup: ------ 1. Disable profile caSubsystemCert.cfg under /var/lib/pki/topology-02-CA/ca/profiles/ca using : pki -v -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-disable caSubsystemCert 2. Edit profile in the runtime based on changes that are needed. pki -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-edit caSubsystemCert Here i edit below mentioned attribute: policyset.serverCertSet.2.default.name=Validity Default policyset.serverCertSet.2.default.params.range=7200000 3. Enable the "caSubsystemCert" profile. pki -v -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-enable caSubsystemCert 4. Submit the certificate request. pki -v -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-submit --profile caSubsystemCert --csr-file /etc/pki/topology-02-KRA-alone/kra_subsystem.csr 5. This everytime gives me below mentioned exception. [root@pki1 test_dir]# pki -v -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-submit --profile caSubsystemCert --csr-file /etc/pki/topology-02-KRA-alone/kra_subsystem.csr PKI options: -v -d /opt/rhqa_pki/certdb -c Secret123 PKI command: pki1.example.com -h pki1.example.com -p 20080 cert-request-submit --profile caSubsystemCert --csr-file /etc/pki/topology-02-KRA-alone/kra_subsystem.csr Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -cp /usr/share/java/commons-cli.jar:/usr/share/java/commons-codec.jar:/usr/share/java/commons-httpclient.jar:/usr/share/java/commons-io.jar:/usr/share/java/commons-lang.jar:/usr/share/java/commons-logging.jar:/usr/share/java/httpcomponents/httpclient.jar:/usr/share/java/httpcomponents/httpcore.jar:/usr/share/java/jackson/jackson-core-asl.jar:/usr/share/java/jackson/jackson-jaxrs.jar:/usr/share/java/jackson/jackson-mapper-asl.jar:/usr/share/java/jackson/jackson-mrbean.jar:/usr/share/java/jackson/jackson-smile.jar:/usr/share/java/jackson/jackson-xc.jar:/usr/share/java/jaxb-api.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/servlet.jar:/usr/share/java/resteasy-base/jaxrs-api.jar:/usr/share/java/resteasy-base/resteasy-atom-provider.jar:/usr/share/java/resteasy-base/resteasy-client.jar:/usr/share/java/resteasy-base/resteasy-jaxb-provider.jar:/usr/share/java/resteasy-base/resteasy-jaxrs.jar:/usr/share/java/resteasy-base/resteasy-jaxrs-jandex.jar:/usr/share/java/resteasy-base/resteasy-jackson-provider.jar:/usr/share/java/pki/pki-nsutil.jar:/usr/share/java/pki/pki-cmsutil.jar:/usr/share/java/pki/pki-certsrv.jar:/usr/share/java/pki/pki-tools.jar:/usr/lib64/java/jss4.jar:/usr/lib/java/jss4.jar -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /opt/rhqa_pki/certdb -c Secret123 --verbose -h pki1.example.com -p 20080 cert-request-submit --profile caSubsystemCert --csr-file /etc/pki/topology-02-KRA-alone/kra_subsystem.csr Server URI: http://pki1.example.com:20080 Client security database: /opt/rhqa_pki/certdb Message format: null Command: cert-request-submit --profile caSubsystemCert --csr-file /etc/pki/topology-02-KRA-alone/kra_subsystem.csr Initializing client security database Logging into security token Module: cert Module: request-submit Retrieving caSubsystemCert profile. HTTP request: GET /ca/rest/certrequests/profiles/caSubsystemCert HTTP/1.1 Accept-Encoding: gzip, deflate Accept: application/xml Host: pki1.example.com:20080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Type: application/xml Content-Length: 1209 Date: Mon, 25 Jul 2016 07:24:34 GMT Request type: pkcs10 CSR: -----BEGIN CERTIFICATE REQUEST----- MIICjDCCAXQCAQAwRzElMCMGA1UECgwcdG9wb2xvZ3ktMDJfRm9vYmFybWFzdGVyLm9yZzEeMBwG A1UEAwwVU3Vic3lzdGVtIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEA32hziGkGD+lgQqqkiHZjfGWtMwsNpRA8zbYbQE+v9m4IGIigFHP4yJwM1P6ozsBPMhRIjod5 BNm2g1uEEOfFUppUidXX6eNrZlT7+Wb6ftdECLfRlVvZbfakPU6raLNeD0oANxHxXpZfM+c7/Mfh s6RorETx9KKm4D4GtY6v718M6vN1E6UsTfx5++R6QK/zcbTHScg5uvQJ8Dv9E481mfwB0O1m81Ft RZT5enKDEn4Y3aHXwKCIWfJdOuet97aWkBOWcB0W1E2VDzGMstijtLgl128glyCgg7G9SRe/TEQQ tDi0OdHTfZHd8LEn9NLyha6gETB/BwqJpjrM0lBcWwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEB AM7+s10H68xWv6GnKbr2czF/KEUUNh/S58/axnUdZ/hgawghO2O7BCkZAPNG42isT2eqinq6sUoa NeebGMPEcvnPlJk8l1k/7vtY9f6hOb6w6bUASbC5hxaA3MS0ffey0y1kw70u+iFTBarU7AEyRQCz ZPAEOeoAC+1Vqc3yxNK4LooSr5NW5r9oFTO+Vuz/B/Bn+r70hcRMbM4ZYiqAgLEqv+TPorYA5nP8 K0zXsnVMWq0+Fdxj6mHaE1rPqVVvDpjEMYHkesm/DrXV6T5xQjSCsV7sUJD4gJkx54Bp4fvtfJuC 3LDc3+5CSv9l1Aj8K7eLzTgsdNhBlB3zuWtd9NU= -----END CERTIFICATE REQUEST----- HTTP request: POST /ca/rest/certrequests HTTP/1.1 Content-Type: application/xml Accept-Encoding: gzip, deflate Accept: application/xml Content-Length: 2172 Host: pki1.example.com:20080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.5 (java 1.5) HTTP response: HTTP/1.1 500 Internal Server Error Server: Apache-Coyote/1.1 Content-Type: application/xml Content-Length: 213 Date: Mon, 25 Jul 2016 07:24:34 GMT Connection: close com.netscape.certsrv.base.PKIException: extensions not found at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:450) at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:418) at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:113) at com.netscape.certsrv.cert.CertClient.enrollRequest(CertClient.java:102) at com.netscape.cmstools.cert.CertRequestSubmitCLI.execute(CertRequestSubmitCLI.java:249) at com.netscape.cmstools.cli.CLI.execute(CLI.java:337) at com.netscape.cmstools.cert.CertCLI.execute(CertCLI.java:91) at com.netscape.cmstools.cli.ProxyCLI.execute(ProxyCLI.java:119) at com.netscape.cmstools.cli.CLI.execute(CLI.java:337) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:562) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:574) 6. Then i take a look at the certificate.It is without extensions.So i actually disable extensions in caSubsystemCert profile.I set all critial parameters ( for extensions like keyusage) to false.Also i did changes in policyset.serverCertSet.list=1,2,3,4 But still i am seeing extensions error. As stated in comment #1, this is a test for "Existing or External CA" during "Installation." Please find and follow the right instruction to test such installation case, maybe this? http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate_using_NSS_Database and make sure (before running pkispawn the 2nd time to configure) you follow what stated in Comment #1 to modify the <instance>/ca/conf/subsystemCert.profile so that the params.range of the Validity Default exceeds that of the CA's. And watch (and expect) the installation to fail on it. Since your test procedure is invalid, I'm changing this bug to "POST" again. Let me know if there is any more issue. (In reply to Christina Fu from comment #5) > As stated in comment #1, this is a test for "Existing or External CA" during > "Installation." > Please find and follow the right instruction to test such installation case, > maybe this? > http://pki.fedoraproject.org/wiki/ > Installing_CA_with_Existing_CA_Certificate_using_NSS_Database > > and make sure (before running pkispawn the 2nd time to configure) you follow > what stated in Comment #1 to modify the > <instance>/ca/conf/subsystemCert.profile > so that the params.range of the Validity Default > exceeds that of the CA's. > And watch (and expect) the installation to fail on it. correction: What's expected is that it will NOT follow the range specification of the exceeding subsystem cert profile, but rather limit it to that of the CA's. So, expect the subsystem cert having the same expiration date as that of the CA. > > Since your test procedure is invalid, I'm changing this bug to "POST" again. > Let me know if there is any more issue. Hello, Sure I'll follow the procedure that you have mentioned above.Thanks for reply. I have one question here. If i have an existing setup and i tried to edit profile caSubsystemCert and i disable all the extensions so now while doing a certificate request submit should it be asking to provide extensions? I have set all extensions like keyusage to false still it checks for extensions.So I am not sure about how it should behave. Thanks Geetika (In reply to Geetika Kapoor from comment #7) > Hello, > > Sure I'll follow the procedure that you have mentioned above.Thanks for > reply. > I have one question here. If i have an existing setup and i tried to edit > profile caSubsystemCert and i disable all the extensions so now while doing > a certificate request submit should it be asking to provide extensions? I > have set all extensions like keyusage to false still it checks for > extensions.So I am not sure about how it should behave. > > Thanks > Geetika That is not a useful test case, and has nothing to do with this bug. Admins should have no reason to do that. Hello Christina,
Below are the 3 test cases i performed.I am not sure if this is expected behavior so just to get a better idea here I am putting it to you.Thanks in advance for help.Below are the test scenario's::
Test Case 1: Create a new CA instance where we are doing changes in default
============ profile file /usr/share/pki/ca/conf/subsystemCert.profile
Setup :
------
1. Change "2.default.params.range=720" to "2.default.params.range=7200000" in /usr/share/pki/ca/conf/subsystemCert.profile
Result:
------
1. Installation was successful.Port is in-use.
2. Debug logs shows::
<debug logs>
[19/Aug/2016:02:57:46][localhost-startStop-1]: CertUtils: verifySystemCertByTag(sslserver)
[19/Aug/2016:02:57:46][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(Server-Cert cert-pki-tomcat, SSLServer)
[19/Aug/2016:02:57:46][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(Server-Cert cert-pki-tomcat, true, SSLServer)
[19/Aug/2016:02:57:46][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed: java.lang.Exception: Certificate Server-Cert cert-pki-tomcat is invalid: Invalid certificate: (-8179) Peer's Certificate issuer is not recognized.
[19/Aug/2016:02:57:46][localhost-startStop-1]: CertUtils: verifySystemCertsByTag() failed: java.lang.Exception: Certificate Server-Cert cert-pki-tomcat is invalid: Invalid certificate: (-8179) Peer's Certificate issuer is not recognized.
[19/Aug/2016:02:57:46][localhost-startStop-1]: SignedAuditEventFactory: create() message created for eventType=CIMC_CERT_VERIFICATION
[19/Aug/2016:02:57:46][localhost-startStop-1]: SignedAuditEventFactory: create() message created for eventType=CIMC_CERT_VERIFICATION
java.lang.Exception: Certificate Server-Cert cert-pki-tomcat is invalid: Invalid certificate: (-8179) Peer's Certificate issuer is not recognized.
at com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:844)
at com.netscape.cmscore.cert.CertUtils.verifySystemCertByTag(CertUtils.java:936)
at com.netscape.cmscore.cert.CertUtils.verifySystemCerts(CertUtils.java:1053)
at com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.java:1803)
at com.netscape.certsrv.apps.CMS.verifySystemCerts(CMS.java:1402)
at com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:193)
Caused by: java.security.cert.CertificateException: Invalid certificate: (-8179) Peer's Certificate issuer is not recognized.
at org.mozilla.jss.CryptoManager.verifyCertificateNowNative(Native Method)
at org.mozilla.jss.CryptoManager.verifyCertificate(CryptoManager.java:1554)
at com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:842)
... 44 more
</debug logs>
Test Case 2: Create a external CA like mentioned in
============ http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate_using_NSS_Database#Exporting_from_Existing_CA_Instance (Installing New CA Instance (Step 1) )
Setup:
======
1. I created my csr request.
2. I get it signed by some other CA.
3. I did changes in /etc/pki/TestBZ/ca/subsystemCert.profile and i could see in step2 it failed with :
pkispawn : INFO ....... importing caSigningCert cert-TestBZ CA from cert_new
pkispawn : INFO ....... importing certificate chain caSigningCert External CA from chain_new
pkispawn : INFO ....... validating the signing certificate
pkispawn : ERROR ....... pki-server subsystem-cert-validate return code: 1
pkispawn : ERROR ....... Cert ID: signing
Nickname: caSigningCert cert-TestBZ CA
Usage: SSLCA
Token: Internal Key Storage Token
Status: INVALID
-----------------
Validation failed
-----------------
pkispawn : DEBUG ....... Error Type: CalledProcessError
pkispawn : DEBUG ....... Error Message: Command '['pki-server', 'subsystem-cert-validate', '-i', 'TestBZ', 'ca', 'signing']' returned non-zero exit status 1
pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 528, in main
scriptlet.spawn(deployer)
File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 283, in spawn
verifier.verify_certificate('signing')
File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 4646, in verify_certificate
stderr=subprocess.STDOUT)
File "/usr/lib64/python2.7/subprocess.py", line 575, in check_output
raise CalledProcessError(retcode, cmd, output=output)
Installation failed: Command '['pki-server', 'subsystem-cert-validate', '-i', 'TestBZ', 'ca', 'signing']' returned non-zero exit status 1
Test Case 3: No changes done in any profile and we try to stepup externalCA
============ using 2 step installation.
Setup:
======
1. I created my csr request.
2. I get it signed by some other CA.
3. No changes done in any profile.Still i see same subsystem cert validation failure.I am not sure why it happens
pkispawn : INFO ....... importing caSigningCert cert-TestBZ CA from cert_new
pkispawn : INFO ....... importing certificate chain caSigningCert External CA from chain_new
pkispawn : INFO ....... validating the signing certificate
pkispawn : ERROR ....... pki-server subsystem-cert-validate return code: 1
pkispawn : ERROR ....... Cert ID: signing
Nickname: caSigningCert cert-TestBZ CA
Usage: SSLCA
Token: Internal Key Storage Token
Status: INVALID
-----------------
Validation failed
-----------------
pkispawn : DEBUG ....... Error Type: CalledProcessError
pkispawn : DEBUG ....... Error Message: Command '['pki-server', 'subsystem-cert-validate', '-i', 'TestBZ', 'ca', 'signing']' returned non-zero exit status 1
pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 528, in main
scriptlet.spawn(deployer)
File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 283, in spawn
verifier.verify_certificate('signing')
File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 4646, in verify_certificate
stderr=subprocess.STDOUT)
File "/usr/lib64/python2.7/subprocess.py", line 575, in check_output
raise CalledProcessError(retcode, cmd, output=output)
Installation failed: Command '['pki-server', 'subsystem-cert-validate', '-i', 'TestBZ', 'ca', 'signing']' returned non-zero exit status 1
After installation, you do customization in the instance directory, not the global one. Here is a link that explains it: http://pki.fedoraproject.org/wiki/Custom_Installation concept is two steps 1. installation 1.5 customization (this is where you make changes into the instance directory) 2. configuration also, please verify with Asha, I think the procedure is to make sure your steps are correct, and you are absolutely sure that it failed the test before you mark it failed QE. Not when you are still asking questions for clarification of steps. Thanks. Because this was a procedural change, and did not require any code changes or new builds, moving status to MODIFIED so that it can be placed back ON_QA. Build::10.3.3-5.el7 New CA installation: Setup:: ===== 1. Refer http://pki.fedoraproject.org/wiki/Custom_Installation. 2. Use config file in 2 step.Config file is attached in BZ that has been used for testing. a. Configuration b. installation 3. Make changes in susbsystem.profile after configuration and then run installation. 4. Verify the certificate of subsystem. Result: ======= After test: --------- Certificate: Data: Version: v3 Serial Number: 0x60000003 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Validity: Not Before: Friday, September 2, 2016 1:28:33 PM EDT America/New_York Not After: Tuesday, September 2, 2036 1:28:32 PM EDT America/New_York- Subject: CN=Subsystem Certificate,O=topology-02_Foobarmaster.org Certificate: Data: Version: v3 Serial Number: 0x60000001 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Validity: Not Before: Friday, September 2, 2016 1:28:32 PM EDT America/New_York Not After: Thursday, August 23, 2018 1:28:32 PM EDT America/New_York Subject: CN=CA OCSP Signing Certificate,O=topology-02_Foobarmaster.org Certificate: Data: Version: v3 Serial Number: 0x60000005 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org Validity: Not Before: Friday, September 2, 2016 1:28:34 PM EDT America/New_York Not After: Thursday, August 23, 2018 1:28:34 PM EDT America/New_York Subject: CN=PKI Administrator,E=caadmin,O=topology-02_Foobarmaster.org Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 [root@pki1 test_dir]# pki-server subsystem-cert-validate -i topology-02-CA-BZ ca Cert ID: signing Nickname: caSigningCert cert-topology-02-CA-BZ CA Usage: SSLCA Token: Internal Key Storage Token Status: VALID Cert ID: ocsp_signing Nickname: ocspSigningCert cert-topology-02-CA-BZ CA Usage: StatusResponder Token: Internal Key Storage Token Status: VALID Cert ID: sslserver Nickname: Server-Cert cert-topology-02-CA-BZ Usage: SSLServer Token: Internal Key Storage Token Status: VALID Cert ID: subsystem Nickname: subsystemCert cert-topology-02-CA-BZ Usage: SSLClient Token: Internal Key Storage Token Status: VALID Cert ID: audit_signing Nickname: auditSigningCert cert-topology-02-CA-BZ CA Usage: ObjectSigner Token: Internal Key Storage Token Status: VALID -------------------- Validation succeeded -------------------- =================================================================================================== External CA: ------------ Setup:: ===== 1. Refer http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed_CA_Certificate 2. Use config file as attached in BZ.Run step1. 3. Make changes in susbsystem.profile after step1 and then run step2. 4. Verify the certificate of subsystem. Test Case 1:(subsystem validity > CA validity) Result :: it will take max validity as CA signing validity Test Case 2: if subsytem time is less than CA extended time then:(subsystem validity < CA validity) Result :: it will take max validity as mentioned in subsystem.profile Certificate: Data: Version: v3 Serial Number: 0x60000002 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=CA Signing Certificate,O=example.com Security Domain Validity: Not Before: Friday, September 2, 2016 3:00:17 PM EDT America/New_York Not After: Friday, December 2, 2016 1:59:10 PM EST America/New_York Subject: CN=Subsystem Certificate,O=example.com Security Domain Subject Public Key Info: Algorithm: RSA - 1.2.840.113549.1.1.1 Certificate: Data: Version: v3 Serial Number: 0x60000004 Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11 Issuer: CN=CA Signing Certificate,O=example.com Security Domain Validity: Not Before: Friday, September 2, 2016 3:00:17 PM EDT America/New_York Not After: Friday, December 2, 2016 1:59:10 PM EST America/New_York Subject: CN=PKI Administrator,E=caadmin,O=example.com Security Domain (subsystem validity > CA validity) Result :: it will take max validity as CA signing validity Certificate: Data: Version: 3 (0x2) Serial Number: 1610612738 (0x60000002) Signature Algorithm: sha256WithRSAEncryption Issuer: commonName = CA Signing Certificate organizationName = example.com Security Domain Validity Not Before: Sep 2 19:39:45 2016 GMT Not After : May 2 19:39:00 2193 GMT Subject: commonName = Subsystem Certificate organizationName = example.com Security Domain Subject Public Key Info: Public Key Algorithm: rsaEncryption if subsytem time is less than CA extended time then:(subsystem validity < CA validity) Result :: it will take max validity as mentioned in subsystem.profile Certificate: Data: Version: 3 (0x2) Serial Number: 1610612738 (0x60000002) Signature Algorithm: sha256WithRSAEncryption Issuer: commonName = CA Signing Certificate organizationName = example.com Security Domain Validity Not Before: Sep 2 19:43:01 2016 GMT Not After : Nov 13 20:43:01 2016 GMT Subject: commonName = Subsystem Certificate organizationName = example.com Security Domain Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:af:ec:88:98:8b:8d:fe:d5:43:ba:31:72:e6:a3: Created attachment 1193164 [details]
Config_files
This has configuration files and steps to test this BZ
Additional Tests:
Test steps for extrenal CA::
1. pkispawn -f step1.cfg -s CA -vvv
2. rm -rf nssdb if already exists.
3. ./nssdb_script
4. Make changes in subsystem.profile.
5. pkisawn -f step2.cfg -s CA -vvv
Test Case 1: Empty value of range in subsystem.profile
Installation failed:
com.netscape.certsrv.base.PKIException: Error in setting certificate names and key sizes: java.io.IOException: Unable to create local certificate: java.lang.NumberFormatException: For input string: ""
Test Case 2: Invalid interger range provided.
Installation failed:
com.netscape.certsrv.base.PKIException: Error in setting certificate names and key sizes: java.io.IOException: Unable to create local certificate: java.lang.NumberFormatException: For input string: "78095689999999999999"
Test Case 3: "0" is added as range for validity
commonName = CA Signing Certificate
organizationName = example.com Security Domain
Validity
Not Before: Sep 2 20:06:26 2016 GMT
Not After : Sep 2 20:06:26 2016 GMT
Subject:
commonName = Subsystem Certificate
organizationName = example.com Security Domain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2396.html |