Bug 1364867
| Summary: | Lightweight CA GET {id}/chain returns bogus PEM data | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Fraser Tweedale <ftweedal> | ||||||||
| Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | ||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 7.3 | CC: | ftweedal, gkapoor, mharmsen | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | pki-core-10.3.3-5.el7 | Doc Type: | If docs needed, set a value | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2016-11-04 05:26:58 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Fraser Tweedale
2016-08-08 04:50:21 UTC
Fix has been committed to upstream master branch. Hi Fraser, How i can setup lightweight CA.I think if a CA is lightweight it should have isHostAuthority="true"??? Thanks Geetika Hi Geetika,
The "host authority" is the "main CA" i.e. the CA that gets set up when
you spawn a CA instance. Only this CA will have "isHostAuthority: true";
all lightweight CAs will have "false".
Actually, to verify this ticket you don't need to create a lightweight
CA at all. Querying the host authority will suffice.
curl --silent --header "Accept: application/x-pem-file" \
https://$(hostname):8443/ca/rest/authorities/<authority-uuid>/chain \
| openssl pkcs7 -text
If openssl parses the returned data successfully and returns exit code 0,
the fix is verified.
Hi Fraser, I tried opening "https://nocp30.idm.lab.eng.rdu2.redhat.com:30142/ca/rest/authorities" I see below mentioned data : ========================================================================== <collection><authority isHostAuthority="false" id="5bdfcd18-d4a3-47be-a99f-cd0891859713" issuerDN="CN=External CA,O=EXTERNAL" serial="8704" dn="CN=CA Signing Certificate,O=EXAMPLE" enabled="true" description="Host authority" ready="false"/></collection> ========================================================================= -- since isHostAuthority="false" , i think it can be considered as lightweight CA . Later i use command as mentioned above , it doesn't give any data . curl --silent --header "Accept: application/x-pem-file" https://nocp30.idm.lab.eng.rdu2.redhat.com:30142/ca/rest/authorities/5bdfcd18-d4a3-47be-a99f-cd0891859713/chain | openssl pkcs7 -text unable to load PKCS7 object 140575464462240:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: PKCS7 Thanks Geetika Geetika, can you please send me the `/var/log/pki/<instance>/ca/debug`
log file, and advise what is the contents of the `ou=authorities,ou=ca,{basedn}`
LDAP subtree?
In the meantime, you may be able to verify the issue if you deploy it
as part of IPA, because IPA sets everything up properly for lightweight CAs.
But certainly I need to understand exactly what is going on in your
scenario. (It might be "normal", just surprising, but I need logs and
LDAP data to confirm).
Thanks!
Created attachment 1202738 [details]
ldap_data
Created attachment 1202739 [details]
debug
Sure Fraser all the needed information is attached. The installation is using HSM. Please try and verify on a non-HSM Dogtag installation (we don't support lightweight CAs on HSM). This is not working with external CA (HSM as well as non HSM). Marking this bug as assigned. Two new bugs created for problems encountered during verification: - two-step externally-signed CA installation fails due to missing AuthorityID https://bugzilla.redhat.com/show_bug.cgi?id=1378275 - Spurious host authority entries created https://bugzilla.redhat.com/show_bug.cgi?id=1378277 As for this issue, I think even with externally-signed CA (but NOT HSM-based) you should still be able to verify it with the following command: # curl --insecure --silent \ --header 'Accept: application/x-pem-file' \ https://$(hostname):8443/ca/rest/authorities/<authority-id>/chain \ | openssl pkcs7 -noout # echo $? 0 As before, find the <authority-id> If the pipeline runs successfully, it is verified (the response is a valid PEM-encoded PKCS #7 object) If it does not run successfully, please include the debug log file and the verbose Curl output: curl -v --insecure --silent \ --header 'Accept: application/x-pem-file' \ https://$(hostname):8443/ca/rest/authorities/<authority-id>/chain (In reply to Fraser Tweedale from comment #13) > Two new bugs created for problems encountered during verification: > > - two-step externally-signed CA installation fails due to missing AuthorityID > https://bugzilla.redhat.com/show_bug.cgi?id=1378275 > - Spurious host authority entries created > https://bugzilla.redhat.com/show_bug.cgi?id=1378277 > Both of these bugs have been marked as potential ZStream candidates. > As for this issue, I think even with externally-signed CA (but NOT > HSM-based) you should still be able to verify it with the following > command: > > # curl --insecure --silent \ > --header 'Accept: application/x-pem-file' \ > https://$(hostname):8443/ca/rest/authorities/<authority-id>/chain \ > | openssl pkcs7 -noout > # echo $? > 0 > > As before, find the <authority-id> > If the pipeline runs successfully, it is verified (the response is a > valid PEM-encoded PKCS #7 object) > > If it does not run successfully, please include the debug log file and > the verbose Curl output: > > curl -v --insecure --silent \ > --header 'Accept: application/x-pem-file' \ > https://$(hostname):8443/ca/rest/authorities/<authority-id>/chain Resetting Bug back to ON_QA. above never worked with ExternalCA with/without HSM non-hsm: curl --silent --header "Accept: application/x-pem-file" https://pki1.example.com:30142/ca/rest/authorities/7e2db366-2b72-4694-b345-d0da6a634b9f/chain | openssl pkcs7 -text unable to load PKCS7 object 140143631599520:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: PKCS7 Debugs : logs are attached Created attachment 1203868 [details]
non-hsm-debug
curl --silent -k --header "Accept: application/x-pem-file" https://pki1.example.com:30142/ca/rest/authorities/7e2db366-2b72-4694-b345-d0da6a634b9f/chain | openssl pkcs7 -text -----BEGIN PKCS7----- MIIJbAYJKoZIhvcNAQcCoIIJXTCCCVkCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIJ PTCCA/0wggHloAMCAQICAhAAMA0GCSqGSIb3DQEBCwUAMCkxETAPBgNVBAoMCEVY VEVSTkFMMRQwEgYDVQQDDAtFeHRlcm5hbCBDQTAeFw0xNjA5MTUwNjE3MjVaFw0x NzA5MjUwNjE3MjVaMDMxEDAOBgNVBAoTB0VYQU1QTEUxHzAdBgNVBAMTFkNBIFNp Z25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQCrxtaUa4mHOch3qVsC/a2f32TmC27yxKUKtiIzRGpRnwQZAvRf/iNdzL5IUZli u/Ss63nEV8agZAJxwR399APw4eu8RuecXMMnYYaNslqM07sJB3ORX3ycl2N24xqX 3LjA+w6qbzs8oYeeIry0Nq5obovwDkmdQr+HPfJSSUjul6LY7oveuzfL7xjsWbP4 W1gYvsY6c06lnPAIhCmwZGx+I2o+Xt1wJJawxk2gq/gzJS5nb8qmAIXYmQK0Dg4I +6oIez+zQGfaY7hXhaKubE8OvoqiVJQYjOqYN7nmv77rba/1pchh9t1kpiIo0Fr0 mophkD4vPWuJsVobaXIeQI8rAgMBAAGjJTAjMA4GA1UdDwEB/wQEAwIBhjARBglg hkgBhvhCAQEEBAMCAjQwDQYJKoZIhvcNAQELBQADggIBAJGW4Afh7hqtncNmZ8OP qSw8nDHQRg2i4zRfsb//61/L5nTCKRYckES8WpJEvq7uKwvxdaLx6fjRSBk2maQQ D/tkukFXpViZBZNcaRVws1jvDU9JCD4BeLbJCGzSTgnoOY3fX2gz3E7k541HMPZe pgtx21MVqhX8lwTBk8Mg3+9mikCoUtR9xxpLifMykAS4yGM0q+Zgn9HGgQ7QUc4+ yQqDD3PoKslLeQ1/n0wi91INobBQiD9ks2MGIRtz4dkhzWtiOBHLdGW2WocQxMbM iJnI++W/ONTVTXr/S5tdBVIGj7gIRmxHly7Jq7iM0sURuBuQQn2R/mq3iFxJKjCK 455Znv8A+XDbw+bHjO508NvhalJD4seOEBBuwc221rNdD9ceqHs8vbEng/SizQ0O DZBYNT2prxporf96O+dpsJIz9FFCEP44xhUize1IG6BeStJN/RSXMW04eTDldLdV L/fr24FPhpaFjlnDVh+TmmGZhp6bQHRIGKI35xE7we+OvwlFv6RXfl+jPy+9AURM nTVbH0i8gy60VMuXIUb9hAv+iTLL++emusvmtOqoWmdnkuoB4vjeKQyOi48C1o1D TtPDui6CnePAowECY4NZT/6mmndN2SjpISnU/KLhxwN7HIlh36axZNL/UddebEao FDwSVz6eVxOk8754MNswVRIIMIIFODCCAyCgAwIBAgIJALs8aVwiXfLWMA0GCSqG SIb3DQEBCwUAMCkxETAPBgNVBAoMCEVYVEVSTkFMMRQwEgYDVQQDDAtFeHRlcm5h bCBDQTAeFw0xNjA5MTUwNjE3MDVaFw0zNjA5MTAwNjE3MDVaMCkxETAPBgNVBAoM CEVYVEVSTkFMMRQwEgYDVQQDDAtFeHRlcm5hbCBDQTCCAiIwDQYJKoZIhvcNAQEB BQADggIPADCCAgoCggIBAMeMxWVPN7wpMeyXAR0arPoMt7MWM7VDIm2CImYqZWXK sRSvJtw3j63M4EO9dQhdWsl1rqNzPJtXH0oZyR07M28Z1F9RDA2Bk51P7qqwOS07 0Vud0BQHv+20WbcUoQWMdlzC+ILZd053HVpR5RHgQt2H8/gByMwIo+UY1GxNTYq1 j6N6h51shwOQdidv/rmHiq8yC4wuXkkOQQHGuBu4/ldwkBrZV3Ipd1fziX29CKZG zlYUf2J9gnDkeLqJZm2hHsubI74EyZSL1zGKLngesTEVFVVQ93AaFKSgvml8FW19 KLXoD/PmHKq4QvNXWK14aV085ATzL/w0ooR5E73PPCyU+XKZoJeoyFbWZNJKSYD9 hXE9gXjM5fGhHlCQN/WoaUUCf6+PIbIziGztzmqXGns3vjTVIQPf8efWI/0Z21iC tkqd1+O92xMvONHY34UUOSvOsRKY4Nhxz/N3M2kKaYvFGwH0svoP3EV5BzlrzuZD oVGkmiWEwBZ3DI0VBY2rF5gsWGheHRbvJ8kS8ycEOS6VyUU0xcnobFjCB5BGh22B 5cYyMrOjjBCTwUnnZj9OUE0ZCQeT8sS17kysdXt1kDkEfvjXIGC7OQ8ufMJnkpNg x1SPaYxWeucNfu3ODsQyhw19v5TThpKEw+SJn5rJH0Uu9BLL8BAY0rGg72+MVdVH AgMBAAGjYzBhMB0GA1UdDgQWBBRhLHfDH7ILVRq1G+apI88DPALDpTAfBgNVHSME GDAWgBRhLHfDH7ILVRq1G+apI88DPALDpTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud DwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAubSSJDg8/4kx23Z92pkpf5QI qz2APDn99rc1evyS7MEjEZ6ShrLp2cy5Fx6KmuLnFm91NKwWoOO6Zvw+qGzsqU4+ JALsYqW/80LEPpUHbYXOy8XY3Ed97HuRcWLt9B8XqVAQ9ZHQ+S5Ksy7xCzqYvxX8 GwbroyXAWR8Jfl1t9NGpwDkjQ4Klh1k+J0ylosYRD0Z8rOiCjQquGiMQWTI6G0co /JKSMA0amrcvCeQBEP/0kEsrd3K1UUffo6qgaZ4jxGqpQwPRT4QrxBP2dGi3RhBT TTAfr6l5PprtjYcBk8fx84YrbaKnWH29bPST4Bw7UrGMUqB3ISt+H9IYj0CB355C dDuPrJl9IqeNepoTp4ngBmSqXXIP0hQSQZT3gqhgjkBtwytZEVP6PoEdRGZzc1xX d+w9C1v3Ea9qr7G0KdeVIy+3sRBS+WrJjU4e1NvTqCgmFzjisVff+LSCcQm/pq+u I77EyORZYhwKbAq6rj5i7tRvuFIehEeQmHBHTcQRhyDxYyeENz8ch1fT0LBO2h5Q jvxV2UVJklHUjY3mMwRWHzOKaiR3HLrBiiyP3es+cNd13C5KhFmSLusefZrDRQGt jOV0eXYLxM9f8ZW6HgXe+P5Ku82e7xvOrKCR8QB1tlfv2NJp3TB6oFIgLnoL3Q9H w0ISzcvsFVH7h5Eex1IxAA== -----END PKCS7----- Decoded certificate :: PKCS#7 Detailed Information Certificate: Data: Version: 3 (0x2) Serial Number: 4096 (0x1000) Signature Algorithm: sha256WithRSAEncryption Issuer: O=EXTERNAL, CN=External CA Validity Not Before: Sep 15 06:17:25 2016 GMT Not After : Sep 25 06:17:25 2017 GMT Subject: O=EXAMPLE, CN=CA Signing Certificate Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ab:c6:d6:94:6b:89:87:39:c8:77:a9:5b:02:fd: ad:9f:df:64:e6:0b:6e:f2:c4:a5:0a:b6:22:33:44: 6a:51:9f:04:19:02:f4:5f:fe:23:5d:cc:be:48:51: 99:62:bb:f4:ac:eb:79:c4:57:c6:a0:64:02:71:c1: 1d:fd:f4:03:f0:e1:eb:bc:46:e7:9c:5c:c3:27:61: 86:8d:b2:5a:8c:d3:bb:09:07:73:91:5f:7c:9c:97: 63:76:e3:1a:97:dc:b8:c0:fb:0e:aa:6f:3b:3c:a1: 87:9e:22:bc:b4:36:ae:68:6e:8b:f0:0e:49:9d:42: bf:87:3d:f2:52:49:48:ee:97:a2:d8:ee:8b:de:bb: 37:cb:ef:18:ec:59:b3:f8:5b:58:18:be:c6:3a:73: 4e:a5:9c:f0:08:84:29:b0:64:6c:7e:23:6a:3e:5e: dd:70:24:96:b0:c6:4d:a0:ab:f8:33:25:2e:67:6f: ca:a6:00:85:d8:99:02:b4:0e:0e:08:fb:aa:08:7b: 3f:b3:40:67:da:63:b8:57:85:a2:ae:6c:4f:0e:be: 8a:a2:54:94:18:8c:ea:98:37:b9:e6:bf:be:eb:6d: af:f5:a5:c8:61:f6:dd:64:a6:22:28:d0:5a:f4:9a: 8a:61:90:3e:2f:3d:6b:89:b1:5a:1b:69:72:1e:40: 8f:2b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Netscape Cert Type: S/MIME, Object Signing, SSL CA Signature Algorithm: sha256WithRSAEncryption 91:96:e0:07:e1:ee:1a:ad:9d:c3:66:67:c3:8f:a9:2c:3c:9c: 31:d0:46:0d:a2:e3:34:5f:b1:bf:ff:eb:5f:cb:e6:74:c2:29: 16:1c:90:44:bc:5a:92:44:be:ae:ee:2b:0b:f1:75:a2:f1:e9: f8:d1:48:19:36:99:a4:10:0f:fb:64:ba:41:57:a5:58:99:05: 93:5c:69:15:70:b3:58:ef:0d:4f:49:08:3e:01:78:b6:c9:08: 6c:d2:4e:09:e8:39:8d:df:5f:68:33:dc:4e:e4:e7:8d:47:30: f6:5e:a6:0b:71:db:53:15:aa:15:fc:97:04:c1:93:c3:20:df: ef:66:8a:40:a8:52:d4:7d:c7:1a:4b:89:f3:32:90:04:b8:c8: 63:34:ab:e6:60:9f:d1:c6:81:0e:d0:51:ce:3e:c9:0a:83:0f: 73:e8:2a:c9:4b:79:0d:7f:9f:4c:22:f7:52:0d:a1:b0:50:88: 3f:64:b3:63:06:21:1b:73:e1:d9:21:cd:6b:62:38:11:cb:74: 65:b6:5a:87:10:c4:c6:cc:88:99:c8:fb:e5:bf:38:d4:d5:4d: 7a:ff:4b:9b:5d:05:52:06:8f:b8:08:46:6c:47:97:2e:c9:ab: b8:8c:d2:c5:11:b8:1b:90:42:7d:91:fe:6a:b7:88:5c:49:2a: 30:8a:e3:9e:59:9e:ff:00:f9:70:db:c3:e6:c7:8c:ee:74:f0: db:e1:6a:52:43:e2:c7:8e:10:10:6e:c1:cd:b6:d6:b3:5d:0f: d7:1e:a8:7b:3c:bd:b1:27:83:f4:a2:cd:0d:0e:0d:90:58:35: 3d:a9:af:1a:68:ad:ff:7a:3b:e7:69:b0:92:33:f4:51:42:10: fe:38:c6:15:22:cd:ed:48:1b:a0:5e:4a:d2:4d:fd:14:97:31: 6d:38:79:30:e5:74:b7:55:2f:f7:eb:db:81:4f:86:96:85:8e: 59:c3:56:1f:93:9a:61:99:86:9e:9b:40:74:48:18:a2:37:e7: 11:3b:c1:ef:8e:bf:09:45:bf:a4:57:7e:5f:a3:3f:2f:bd:01: 44:4c:9d:35:5b:1f:48:bc:83:2e:b4:54:cb:97:21:46:fd:84: 0b:fe:89:32:cb:fb:e7:a6:ba:cb:e6:b4:ea:a8:5a:67:67:92: ea:01:e2:f8:de:29:0c:8e:8b:8f:02:d6:8d:43:4e:d3:c3:ba: 2e:82:9d:e3:c0:a3:01:02:63:83:59:4f:fe:a6:9a:77:4d:d9: 28:e9:21:29:d4:fc:a2:e1:c7:03:7b:1c:89:61:df:a6:b1:64: d2:ff:51:d7:5e:6c:46:a8:14:3c:12:57:3e:9e:57:13:a4:f3: be:78:30:db:30:55:12:08 -----BEGIN CERTIFICATE----- MIID/TCCAeWgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwKTERMA8GA1UECgwIRVhU RVJOQUwxFDASBgNVBAMMC0V4dGVybmFsIENBMB4XDTE2MDkxNTA2MTcyNVoXDTE3 MDkyNTA2MTcyNVowMzEQMA4GA1UEChMHRVhBTVBMRTEfMB0GA1UEAxMWQ0EgU2ln bmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AKvG1pRriYc5yHepWwL9rZ/fZOYLbvLEpQq2IjNEalGfBBkC9F/+I13MvkhRmWK7 9KzrecRXxqBkAnHBHf30A/Dh67xG55xcwydhho2yWozTuwkHc5FffJyXY3bjGpfc uMD7DqpvOzyhh54ivLQ2rmhui/AOSZ1Cv4c98lJJSO6Xotjui967N8vvGOxZs/hb WBi+xjpzTqWc8AiEKbBkbH4jaj5e3XAklrDGTaCr+DMlLmdvyqYAhdiZArQODgj7 qgh7P7NAZ9pjuFeFoq5sTw6+iqJUlBiM6pg3uea/vuttr/WlyGH23WSmIijQWvSa imGQPi89a4mxWhtpch5AjysCAwEAAaMlMCMwDgYDVR0PAQH/BAQDAgGGMBEGCWCG SAGG+EIBAQQEAwICNDANBgkqhkiG9w0BAQsFAAOCAgEAkZbgB+HuGq2dw2Znw4+p LDycMdBGDaLjNF+xv//rX8vmdMIpFhyQRLxakkS+ru4rC/F1ovHp+NFIGTaZpBAP +2S6QVelWJkFk1xpFXCzWO8NT0kIPgF4tskIbNJOCeg5jd9faDPcTuTnjUcw9l6m C3HbUxWqFfyXBMGTwyDf72aKQKhS1H3HGkuJ8zKQBLjIYzSr5mCf0caBDtBRzj7J CoMPc+gqyUt5DX+fTCL3Ug2hsFCIP2SzYwYhG3Ph2SHNa2I4Ect0ZbZahxDExsyI mcj75b841NVNev9Lm10FUgaPuAhGbEeXLsmruIzSxRG4G5BCfZH+areIXEkqMIrj nlme/wD5cNvD5seM7nTw2+FqUkPix44QEG7BzbbWs10P1x6oezy9sSeD9KLNDQ4N kFg1PamvGmit/3o752mwkjP0UUIQ/jjGFSLN7UgboF5K0k39FJcxbTh5MOV0t1Uv 9+vbgU+GloWOWcNWH5OaYZmGnptAdEgYojfnETvB746/CUW/pFd+X6M/L70BREyd NVsfSLyDLrRUy5chRv2EC/6JMsv756a6y+a06qhaZ2eS6gHi+N4pDI6LjwLWjUNO 08O6LoKd48CjAQJjg1lP/qaad03ZKOkhKdT8ouHHA3sciWHfprFk0v9R115sRqgU PBJXPp5XE6Tzvngw2zBVEgg= -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 13491774428129653462 (0xbb3c695c225df2d6) Signature Algorithm: sha256WithRSAEncryption Issuer: O=EXTERNAL, CN=External CA Validity Not Before: Sep 15 06:17:05 2016 GMT Not After : Sep 10 06:17:05 2036 GMT Subject: O=EXTERNAL, CN=External CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:c7:8c:c5:65:4f:37:bc:29:31:ec:97:01:1d:1a: ac:fa:0c:b7:b3:16:33:b5:43:22:6d:82:22:66:2a: 65:65:ca:b1:14:af:26:dc:37:8f:ad:cc:e0:43:bd: 75:08:5d:5a:c9:75:ae:a3:73:3c:9b:57:1f:4a:19: c9:1d:3b:33:6f:19:d4:5f:51:0c:0d:81:93:9d:4f: ee:aa:b0:39:2d:3b:d1:5b:9d:d0:14:07:bf:ed:b4: 59:b7:14:a1:05:8c:76:5c:c2:f8:82:d9:77:4e:77: 1d:5a:51:e5:11:e0:42:dd:87:f3:f8:01:c8:cc:08: a3:e5:18:d4:6c:4d:4d:8a:b5:8f:a3:7a:87:9d:6c: 87:03:90:76:27:6f:fe:b9:87:8a:af:32:0b:8c:2e: 5e:49:0e:41:01:c6:b8:1b:b8:fe:57:70:90:1a:d9: 57:72:29:77:57:f3:89:7d:bd:08:a6:46:ce:56:14: 7f:62:7d:82:70:e4:78:ba:89:66:6d:a1:1e:cb:9b: 23:be:04:c9:94:8b:d7:31:8a:2e:78:1e:b1:31:15: 15:55:50:f7:70:1a:14:a4:a0:be:69:7c:15:6d:7d: 28:b5:e8:0f:f3:e6:1c:aa:b8:42:f3:57:58:ad:78: 69:5d:3c:e4:04:f3:2f:fc:34:a2:84:79:13:bd:cf: 3c:2c:94:f9:72:99:a0:97:a8:c8:56:d6:64:d2:4a: 49:80:fd:85:71:3d:81:78:cc:e5:f1:a1:1e:50:90: 37:f5:a8:69:45:02:7f:af:8f:21:b2:33:88:6c:ed: ce:6a:97:1a:7b:37:be:34:d5:21:03:df:f1:e7:d6: 23:fd:19:db:58:82:b6:4a:9d:d7:e3:bd:db:13:2f: 38:d1:d8:df:85:14:39:2b:ce:b1:12:98:e0:d8:71: cf:f3:77:33:69:0a:69:8b:c5:1b:01:f4:b2:fa:0f: dc:45:79:07:39:6b:ce:e6:43:a1:51:a4:9a:25:84: c0:16:77:0c:8d:15:05:8d:ab:17:98:2c:58:68:5e: 1d:16:ef:27:c9:12:f3:27:04:39:2e:95:c9:45:34: c5:c9:e8:6c:58:c2:07:90:46:87:6d:81:e5:c6:32: 32:b3:a3:8c:10:93:c1:49:e7:66:3f:4e:50:4d:19: 09:07:93:f2:c4:b5:ee:4c:ac:75:7b:75:90:39:04: 7e:f8:d7:20:60:bb:39:0f:2e:7c:c2:67:92:93:60: c7:54:8f:69:8c:56:7a:e7:0d:7e:ed:ce:0e:c4:32: 87:0d:7d:bf:94:d3:86:92:84:c3:e4:89:9f:9a:c9: 1f:45:2e:f4:12:cb:f0:10:18:d2:b1:a0:ef:6f:8c: 55:d5:47 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 61:2C:77:C3:1F:B2:0B:55:1A:B5:1B:E6:A9:23:CF:03:3C:02:C3:A5 X509v3 Authority Key Identifier: keyid:61:2C:77:C3:1F:B2:0B:55:1A:B5:1B:E6:A9:23:CF:03:3C:02:C3:A5 X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption b9:b4:92:24:38:3c:ff:89:31:db:76:7d:da:99:29:7f:94:08: ab:3d:80:3c:39:fd:f6:b7:35:7a:fc:92:ec:c1:23:11:9e:92: 86:b2:e9:d9:cc:b9:17:1e:8a:9a:e2:e7:16:6f:75:34:ac:16: a0:e3:ba:66:fc:3e:a8:6c:ec:a9:4e:3e:24:02:ec:62:a5:bf: f3:42:c4:3e:95:07:6d:85:ce:cb:c5:d8:dc:47:7d:ec:7b:91: 71:62:ed:f4:1f:17:a9:50:10:f5:91:d0:f9:2e:4a:b3:2e:f1: 0b:3a:98:bf:15:fc:1b:06:eb:a3:25:c0:59:1f:09:7e:5d:6d: f4:d1:a9:c0:39:23:43:82:a5:87:59:3e:27:4c:a5:a2:c6:11: 0f:46:7c:ac:e8:82:8d:0a:ae:1a:23:10:59:32:3a:1b:47:28: fc:92:92:30:0d:1a:9a:b7:2f:09:e4:01:10:ff:f4:90:4b:2b: 77:72:b5:51:47:df:a3:aa:a0:69:9e:23:c4:6a:a9:43:03:d1: 4f:84:2b:c4:13:f6:74:68:b7:46:10:53:4d:30:1f:af:a9:79: 3e:9a:ed:8d:87:01:93:c7:f1:f3:86:2b:6d:a2:a7:58:7d:bd: 6c:f4:93:e0:1c:3b:52:b1:8c:52:a0:77:21:2b:7e:1f:d2:18: 8f:40:81:df:9e:42:74:3b:8f:ac:99:7d:22:a7:8d:7a:9a:13: a7:89:e0:06:64:aa:5d:72:0f:d2:14:12:41:94:f7:82:a8:60: 8e:40:6d:c3:2b:59:11:53:fa:3e:81:1d:44:66:73:73:5c:57: 77:ec:3d:0b:5b:f7:11:af:6a:af:b1:b4:29:d7:95:23:2f:b7: b1:10:52:f9:6a:c9:8d:4e:1e:d4:db:d3:a8:28:26:17:38:e2: b1:57:df:f8:b4:82:71:09:bf:a6:af:ae:23:be:c4:c8:e4:59: 62:1c:0a:6c:0a:ba:ae:3e:62:ee:d4:6f:b8:52:1e:84:47:90: 98:70:47:4d:c4:11:87:20:f1:63:27:84:37:3f:1c:87:57:d3: d0:b0:4e:da:1e:50:8e:fc:55:d9:45:49:92:51:d4:8d:8d:e6: 33:04:56:1f:33:8a:6a:24:77:1c:ba:c1:8a:2c:8f:dd:eb:3e: 70:d7:75:dc:2e:4a:84:59:92:2e:eb:1e:7d:9a:c3:45:01:ad: 8c:e5:74:79:76:0b:c4:cf:5f:f1:95:ba:1e:05:de:f8:fe:4a: bb:cd:9e:ef:1b:ce:ac:a0:91:f1:00:75:b6:57:ef:d8:d2:69: dd:30:7a:a0:52:20:2e:7a:0b:dd:0f:47:c3:42:12:cd:cb:ec: 15:51:fb:87:91:1e:c7:52 -----BEGIN CERTIFICATE----- MIIFODCCAyCgAwIBAgIJALs8aVwiXfLWMA0GCSqGSIb3DQEBCwUAMCkxETAPBgNV BAoMCEVYVEVSTkFMMRQwEgYDVQQDDAtFeHRlcm5hbCBDQTAeFw0xNjA5MTUwNjE3 MDVaFw0zNjA5MTAwNjE3MDVaMCkxETAPBgNVBAoMCEVYVEVSTkFMMRQwEgYDVQQD DAtFeHRlcm5hbCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMeM xWVPN7wpMeyXAR0arPoMt7MWM7VDIm2CImYqZWXKsRSvJtw3j63M4EO9dQhdWsl1 rqNzPJtXH0oZyR07M28Z1F9RDA2Bk51P7qqwOS070Vud0BQHv+20WbcUoQWMdlzC +ILZd053HVpR5RHgQt2H8/gByMwIo+UY1GxNTYq1j6N6h51shwOQdidv/rmHiq8y C4wuXkkOQQHGuBu4/ldwkBrZV3Ipd1fziX29CKZGzlYUf2J9gnDkeLqJZm2hHsub I74EyZSL1zGKLngesTEVFVVQ93AaFKSgvml8FW19KLXoD/PmHKq4QvNXWK14aV08 5ATzL/w0ooR5E73PPCyU+XKZoJeoyFbWZNJKSYD9hXE9gXjM5fGhHlCQN/WoaUUC f6+PIbIziGztzmqXGns3vjTVIQPf8efWI/0Z21iCtkqd1+O92xMvONHY34UUOSvO sRKY4Nhxz/N3M2kKaYvFGwH0svoP3EV5BzlrzuZDoVGkmiWEwBZ3DI0VBY2rF5gs WGheHRbvJ8kS8ycEOS6VyUU0xcnobFjCB5BGh22B5cYyMrOjjBCTwUnnZj9OUE0Z CQeT8sS17kysdXt1kDkEfvjXIGC7OQ8ufMJnkpNgx1SPaYxWeucNfu3ODsQyhw19 v5TThpKEw+SJn5rJH0Uu9BLL8BAY0rGg72+MVdVHAgMBAAGjYzBhMB0GA1UdDgQW BBRhLHfDH7ILVRq1G+apI88DPALDpTAfBgNVHSMEGDAWgBRhLHfDH7ILVRq1G+ap I88DPALDpTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG 9w0BAQsFAAOCAgEAubSSJDg8/4kx23Z92pkpf5QIqz2APDn99rc1evyS7MEjEZ6S hrLp2cy5Fx6KmuLnFm91NKwWoOO6Zvw+qGzsqU4+JALsYqW/80LEPpUHbYXOy8XY 3Ed97HuRcWLt9B8XqVAQ9ZHQ+S5Ksy7xCzqYvxX8GwbroyXAWR8Jfl1t9NGpwDkj Q4Klh1k+J0ylosYRD0Z8rOiCjQquGiMQWTI6G0co/JKSMA0amrcvCeQBEP/0kEsr d3K1UUffo6qgaZ4jxGqpQwPRT4QrxBP2dGi3RhBTTTAfr6l5PprtjYcBk8fx84Yr baKnWH29bPST4Bw7UrGMUqB3ISt+H9IYj0CB355CdDuPrJl9IqeNepoTp4ngBmSq XXIP0hQSQZT3gqhgjkBtwytZEVP6PoEdRGZzc1xXd+w9C1v3Ea9qr7G0KdeVIy+3 sRBS+WrJjU4e1NvTqCgmFzjisVff+LSCcQm/pq+uI77EyORZYhwKbAq6rj5i7tRv uFIehEeQmHBHTcQRhyDxYyeENz8ch1fT0LBO2h5QjvxV2UVJklHUjY3mMwRWHzOK aiR3HLrBiiyP3es+cNd13C5KhFmSLusefZrDRQGtjOV0eXYLxM9f8ZW6HgXe+P5K u82e7xvOrKCR8QB1tlfv2NJp3TB6oFIgLnoL3Q9Hw0ISzcvsFVH7h5Eex1I= -----END CERTIFICATE----- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2396.html |