Bug 1366578

Summary: CSR Generated is not of correct format hence unable to decode
Product: Red Hat Enterprise Linux 7 Reporter: Geetika Kapoor <gkapoor>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: edewata, mharmsen
Target Milestone: rc   
Target Release: 7.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.3.3-7.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 05:27:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Geetika Kapoor 2016-08-12 11:30:12 UTC 
Description of problem:


Verified using http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate_using_PKCS12_File

According to wiki page , we are doing below steps but I have one question here.

1. I create the csr generated using new procedure:
===============================================

$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr
$ grep ca.signing.certreq /var/lib/pki/pki-tomcat/ca/conf/CS.cfg | awk -F= '{print $2;}' >> ca_signing.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr


2. I got below mentioned csr::
============================

[root@pki1 1289323]# cat ca_signing.csr 
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICvzCCAacCAQAwSDElMCMGA1UECgwcdG9wb2xvZ3ktMDJfRm9vYmFybWFzdGVyLm9yZzEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuJX2pWYwZPtkF5FvOD3tBMUFmOn99nHplZm1nEPszvLH1ZheDjZqtrIYAK4ZTZ4MjOLQG/N7SY85H3TNJEmNUvCnGn2OqDyH249z6D78w/XIma63rwB35aB3OQut+xzQ9g8uaqplgWAgCDAe9dIoJnhMxSB/wKq8CsKaJHx38wACUMbohCGcAlX/hQBQPspDJXdJu2b3qqcn/Gwcx4RJlnHaxKMOZKSe9VtxAwRKBZTDV6HKz/daNjmVOmgkFANGR6SlEoJfiKZkyigmdExXCqWusMkD8QlBtdS3X04v4MdACKNwxj5AdT7e6I/xDaSBNM659sOT71icCpwSjLAR0CAwEAAaAyMDAGCSqGSIb3DQEJDjEjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwDQYJKoZIhvcNAQELBQADggEBAAsj4eKFMMPRA1p30aNWm7MKknYu6H2UmWlRgKw7SncWoWNNYubwQCOVWoPTt5U5W+kfCn1MW/mIPuCkxVwpSPqZcqcu5FS66T4ECxcwTn1PtZsTgNH7k8Pub8eT0qauNv0tQ2M7Hs3CWLlTa80X5oZ7L6TtcUnTGbgLNKxhBv15LEmgMf9qLGTusz5ipq4mcLnWhuG83iFSV9vjQQfgvxeVb7hvhuVARnePpxcWH6BcpzD5g3H3dOWPvaDBZgLbjrNQx14UrteG4lYhBoD/rNBjR2o4bGiRXwKGGtKsbAZuxFf/VfNx1HGhs08AyJdTFJoUgkux9a5C742LD9ghb+w
-----END NEW CERTIFICATE REQUEST-----

3. I tried to decode the csr using openssl and other online utilities:  -- Didn't work as expected(decode is not possible)
===================================================================

openssl req -in ca_signing.csr -noout -text
unable to load X509 request
140246319929248:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:812:

Version-Release number of selected component (if applicable):
Build ::10.3.3-5.el7

How reproducible:

always 
Steps to Reproduce:
1.Refer above steps 
2.
3.

Actual results:
Unable to decode csr generated using steps mentioned above

Expected results:
Question: What is the use of generating this csr we are not using it anywhere.???
While doing installation on another host we are independently creating a csr. request.

Additional info:

Build ::10.3.3-5.el7

Verified using http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate_using_PKCS12_File

According to wiki page , we are doing below steps but I have one question here.

1. I create the csr generated using new procedure:
===============================================

$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr
$ grep ca.signing.certreq /var/lib/pki/pki-tomcat/ca/conf/CS.cfg | awk -F= '{print $2;}' >> ca_signing.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr


2. I got below mentioned csr::
============================

[root@pki1 1289323]# cat ca_signing.csr 
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICvzCCAacCAQAwSDElMCMGA1UECgwcdG9wb2xvZ3ktMDJfRm9vYmFybWFzdGVyLm9yZzEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuJX2pWYwZPtkF5FvOD3tBMUFmOn99nHplZm1nEPszvLH1ZheDjZqtrIYAK4ZTZ4MjOLQG/N7SY85H3TNJEmNUvCnGn2OqDyH249z6D78w/XIma63rwB35aB3OQut+xzQ9g8uaqplgWAgCDAe9dIoJnhMxSB/wKq8CsKaJHx38wACUMbohCGcAlX/hQBQPspDJXdJu2b3qqcn/Gwcx4RJlnHaxKMOZKSe9VtxAwRKBZTDV6HKz/daNjmVOmgkFANGR6SlEoJfiKZkyigmdExXCqWusMkD8QlBtdS3X04v4MdACKNwxj5AdT7e6I/xDaSBNM659sOT71icCpwSjLAR0CAwEAAaAyMDAGCSqGSIb3DQEJDjEjMCEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwDQYJKoZIhvcNAQELBQADggEBAAsj4eKFMMPRA1p30aNWm7MKknYu6H2UmWlRgKw7SncWoWNNYubwQCOVWoPTt5U5W+kfCn1MW/mIPuCkxVwpSPqZcqcu5FS66T4ECxcwTn1PtZsTgNH7k8Pub8eT0qauNv0tQ2M7Hs3CWLlTa80X5oZ7L6TtcUnTGbgLNKxhBv15LEmgMf9qLGTusz5ipq4mcLnWhuG83iFSV9vjQQfgvxeVb7hvhuVARnePpxcWH6BcpzD5g3H3dOWPvaDBZgLbjrNQx14UrteG4lYhBoD/rNBjR2o4bGiRXwKGGtKsbAZuxFf/VfNx1HGhs08AyJdTFJoUgkux9a5C742LD9ghb+w
-----END NEW CERTIFICATE REQUEST-----

3. I tried to decode the csr using openssl and other online utilities:  -- Didn't work as expected(decode is not possible)
===================================================================

openssl req -in ca_signing.csr -noout -text
unable to load X509 request
140246319929248:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:812:
Comment 2 Endi Sukma Dewata 2016-08-23 03:44:48 UTC 
The CSR stored in ca.signing.certreq parameter is actually valid. However, if the base-64 encoded CSR contains '=' signs the awk command will remove them since they are considered delimiters, so the exported CSR can become invalid.

To avoid the problem please use these commands instead:

$ echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr
$ sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_signing.csr
$ echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr

I have updated the wiki page:
http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate_using_PKCS12_File

In the future the CSR should be moved out of the CS.cfg and into a file or LDAP database. This way the CSR can be used directly without additional processing like above.
Comment 4 Geetika Kapoor 2016-09-19 09:54:54 UTC 
build: pki-ca-10.3.3-10.el7.noarch

Verified the dicument changes as mentioned in http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate_using_PKCS12_File
Comment 6 errata-xmlrpc 2016-11-04 05:27:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html