Bug 1374877
| Summary: | Installer generates PKCS #12 with duplicate CA signing certificates | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Endi Sukma Dewata <edewata> |
| Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> |
| Status: | CLOSED WONTFIX | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.8 | CC: | mharmsen |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-19 18:07:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This bug will not be fixed in PKI. IPA will implement a workaround in bug #1371519 by re-exporting the certificates using PKCS12Export. |
During CA installation on RHEL 6.8 the BackupKeyCertPanel will export the system certificates and the CA certificates (trust anchors) into a PKCS #12 file. However, since the CA signing certificate is considered both system certificate and trust anchor, it will be exported twice. The first copy will have a nickname, while the second copy will not have a nickname. Depending on how the PKCS #12 file is used, the duplicate certificates and the missing nickname may cause a problem. Here's the relevant code in BackupKeyCertPanel.backupKeysCerts(): // export system certificates with nicknames String certlist = cs.getString("preop.cert.list"); StringTokenizer st = new StringTokenizer(certlist, ","); while (st.hasMoreTokens()) { String nickname = cs.getString("preop.cert." + t + ".nickname"); addCertBag(x509cert, nickname, safeContents); } // export CA certificates without nicknames X509Certificate[] cacerts = cm.getCACerts(); for (int i=0; i<cacerts.length; i++) { String nickname = null; addCertBag(cacerts[i], nickname, safeContents); } The problem happens on RHEL 6.8 and possibly earlier RHEL 7.x. The problem does not happen on RHEL 7.3 since it uses a different code to export the certificates. Steps to reproduce: 1. Install CA (or IPA). Make sure the backup option is enabled. 2. Inspect the content of the PKCS #12 file with this command: $ openssl pkcs12 -in cacert.p12 -passin file:password.txt Actual results: The CA certificate will appear twice: Bag Attributes localKeyID: ... friendlyName: caSigningCert cert-pki-ca subject=/O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM/CN=Certificate Authority issuer=/O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM/CN=Certificate Authority ... Bag Attributes: <No Attributes> subject=/O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM/CN=Certificate Authority issuer=/O=ABC.IDM.LAB.ENG.BRQ.REDHAT.COM/CN=Certificate Authority Expected results: Ideally the CA certificate should only appear once with the proper nickname. Note that the PKCS12Export does not have this problem since it exports all certificates from the NSS database: X509Certificate[] certs = store.getCertificates(); for (int i=0; i<certs.length; i++) { String nickname = certs[i].getNickname(); if (prikey == null) { // certificate doesn't have a key, no nickname addCertBag(certs[i], null, safeContents); } else { // certificate has a key, include nickname addCertBag(certs[i], nickname, safeContents); } } There are several options to address this issue: 1. Fix the code to generate a valid PKCS #12 file (i.e. no duplicate certificates). 2. Don't generate a PKCS #12 during install (i.e. no invalid PKCS #12 file). 3. Include a documentation or release note describing the problem, and possibly advising the users against using the PKCS #12 file generated during install. 4. Don't change anything, simply close this ticket as won't fix. This ticket will serve as a documentation. As a workaround, the certificates can be exported correctly using PKCS12Export after installation.