Bug 1359196

OK:

I got on roshni's machine to investigate.

I felt it most expedient to get the "cert file" method working:


The first couple of attempt failed even though we specified nicknames for the non ca signing subsystem certs. Doing so causes the installer to create and install those particular certs with the given nicknames.


It turned out that giving those certs new nicknames was not sufficient to avoid conflicts with other certs already installed by the original CA instance on the HSM.

For instance this cert from the original CA:

NHSM6000:ocspSigningCert cert-pki-ca-roshni-July22 CA

Has a given serial number and issuer.
The serial number will be a standard issue number for this particular subsystem cert for a stock new install of a CA. The issuer will of course be the existing CA's issuer.


When we come back and try to install the NEW CA on another machine (using the same hsm) and same ca signing cert as desired. (using the provided ca signing cert file), a problem arises.

The acknowledgment of the existing CA signing cert appears to work just fine and all is happy there.

Issues happen when the CA tries to create locally and install the other subsystem certs. The first problem cert is the ocsp signing cert which we have given a new nickname.

What happens is the token tries to install this cert but realized that the HSM already has a cert with the same nickname and issuer number , which is flagged as illegal by NSS. The cert in question is the ocspSigningCert we talked about above. The reason why the serial number is the same is because we are doing a stock install and the ocsp signing cert is likely to assign the same number as the previous CA. The issuer is the same due to obvious reasons because we are trying to use the existing CA cert in some sort of migration procedure.

The fix here is to provide in the new CA's pkispawn cfg file a couple of params that deal with the starting serial number and starting request number.
We need to make the values exceed the end value of what the old CA issued. If there is a range specified originally or if random serial numbers are requested in a range. This starting serial number must be greater than the end of any given range.

Provided below is a sample pkispawn cfg file that I used to get a new instance installing and running correctly:

The key values needed are as this ex:

pki_serial_number_range_start=10000
pki_request_number_range_start=11000


Config for the cert file method


[DEFAULT]
pki_instance_name=pki-ca-roshni-July22
pki_admin_password=xxxx
pki_client_pkcs12_password=xxxx
pki_ds_password=xxxx
pki_ds_ldap_port=389
pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
pki_token_name=NHSM6000
pki_token_password=xxxx

[CA]
pki_existing=True
pki_ca_signing_token=NHSM6000
pki_ca_signing_csr_path=ca_signing.csr
pki_ca_signing_cert_path=ca_signing.crt
pki_ocsp_signing_nickname=pki-ca-July23-roshni-ocspSigning-cert
pki_audit_signing_nickname=pki-ca-July23-roshni-auditSigning-cert
pki_ssl_server_nickname=pki-ca-July23-roshni-server-cert
pki_subsystem_nickname=pki-ca-July23-roshni-subsystem-cert

#Note we NEED these values to get the scenario to work properly
# Choose the actual numbers as needed, for this test I just made them
# arbitrarily big to make sure there are no problems.

pki_serial_number_range_start=10000
pki_request_number_range_start=11000


Roshni, I left up the vnc session we had with the instance running and set up for you to look at if needed.

Jack,

the above comments are not related to this bug. I am copying the above comments to https://bugzilla.redhat.com/show_bug.cgi?id=1358876

Upstream ticket:
https://fedorahosted.org/pki/ticket/2423

Cherry-picked in to DOGTAG_10_3_RHEL_BRANCH:

commit 40509684cb71d3863d150a2844e02a7b9321f5d8
Author: Endi S. Dewata <edewata>
Date:   Sun Aug 28 20:38:48 2016 +0200

    Fixed default token name for system certificates.
    
    Previously when installing with HSM the token name has to be
    specified for each system certificate in the pki_<cert>_token
    parameters. The deployment tool has been modified such that by
    default it will use the token name specified in pki_token_name.
    
    https://fedorahosted.org/pki/ticket/2423
    (cherry picked from commit 389420ad4ea9994fb54132454a14abbb83c2c35d)
    (cherry picked from commit f4f62162f16da41a74328889bf2e0d17c223d48d)

commit d5d19fc9b4d4d92c02fe2e75626f69c124ecd040
Author: Endi S. Dewata <edewata>
Date:   Sat Aug 27 00:07:08 2016 +0200

    Moved subsystem initialization after database initialization.
    
    Previously issues with system certificates that happen during
    subsystem initialization were reported as database initialization
    error. Database initialization actually does not depend on
    subsystem initialization, so to avoid confusion and to simplify the
    code the reInitSubsystem() in SystemConfigService is now invoked
    after the initializeDatabase() is complete.
    
    https://fedorahosted.org/pki/ticket/2423
    (cherry picked from commit 9f954fda5fdeda229662a466e645561639ac8402)
    (cherry picked from commit 465bf002c0671e7251738ce9a4e54bba9853780a)

[root@nocp4 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.3.3
Release     : 10.el7
Architecture: noarch
Install Date: Fri 16 Sep 2016 10:16:26 AM EDT
Group       : System Environment/Daemons
Size        : 2431460
License     : GPLv2
Signature   : RSA/SHA256, Wed 14 Sep 2016 10:06:35 AM EDT, Key ID 938a80caf21541eb
Source RPM  : pki-core-10.3.3-10.el7.src.rpm
Build Date  : Sat 10 Sep 2016 02:18:45 AM EDT
Build Host  : ppc-042.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

Tested CA migration from CS 8.x to CS 9.1. pkispawn using the following config was successful

[root@nocp4 ~]# cat ca.cfg 
[DEFAULT]
pki_instance_name=pki-ca-rpattath-Sep21-2016-nocp4
pki_admin_password=Secret123
pki_client_pkcs12_password=Secret123
pki_ds_password=Secret123
pki_ds_ldap_port=389
pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
pki_token_name=NHSM6000-OCS
pki_token_password=redhat123

[CA]
pki_existing=True
pki_ca_signing_csr_path=ca_signing.csr
pki_ca_signing_cert_path=ca_signing.crt
pki_ca_signing_nickname=caSigningCert cert-pki-ca-rpattath-Sep20-2016-nocp1
pki_ds_base_dn=dc=nocp1.idm.lab.eng.rdu2.redhat.com-pki-ca-rpattath-Sep20-2016-nocp1
pki_ds_database=nocp1.idm.lab.eng.rdu2.redhat.com-pki-ca-rpattath-Sep20-2016-nocp1
pki_serial_number_range_start=20
pki_request_number_range_start=30
pki_master_crl_enable=False

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html