Bug 1378275
Summary: | two-step externally-signed CA installation fails due to missing AuthorityID | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Fraser Tweedale <ftweedal> | |
Component: | pki-core | Assignee: | Fraser Tweedale <ftweedal> | |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
Severity: | urgent | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
Priority: | urgent | |||
Version: | 7.3 | CC: | arubin, ekeck, ftweedal, gkapoor, mharmsen, nkinder | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | 7.3 | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | pki-core-10.4.0-1.el7 | Doc Type: | Bug Fix | |
Doc Text: |
Certificate System does not start a Lightweight CA key replication during installation
Previously, Certificate System incorrectly started a Lightweight CA key replication during a two-step installation. As a consequence, the installation failed and an error was displayed. With this update, the two-step installation does not start the Lightweight CA key replication and the installation completes successfully.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1390321 (view as bug list) | Environment: | ||
Last Closed: | 2017-08-01 22:46:01 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1390321 |
Description
Fraser Tweedale
2016-09-22 02:35:18 UTC
Moving from rhel-7.3.0 ==> rhel-7.4.0. Bug has been marked as RHEL 7.3 ZStream candidate. *** Bug 1378517 has been marked as a duplicate of this bug. *** On September 23, 2016, ftweedal checked-in the following: * master (3ea93c9b4bc03f3d79550d8bdfd1447ffa25238d) * DOGTAG_10_3_BRANCH (fca5fd053434d112998c814bc6d9424b6a5bac98) Hi Fraser,Do you think this much testing is sufficient or I need to cover some other test case too.. Thanks ExternalCA: Using Another pki instance: --------------------------- 1. Csr is generated using step1 installation. -- Attributes: Requested Extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Certificate Sign, CRL Sign 2. Sign the request using RootCA(pki). Test steps: ----------- 2.1. pki -U http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080 ca-cert-request-submit --profile caCACert --csr-file /tmp/ca_signing.csr 2.2. Approve it from CA Agent page. 2.3. Signed certificate Extensions: AKI for Externally signed certificate == SKI of Signing CA SKI for Externally signed CA should be new and unique. Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 0C:B1:8A:81:57:14:DD:F2:E8:9A:13:14:E7:CB:D4:EC: 88:4D:23:18 Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: 3B:EB:A1:26:93:ED:D6:81:16:68:BB:AC:15:15:88:9A: 97:EA:B4:87 Identifier: Basic Constraints - 2.5.29.19 Critical: yes Is CA: yes Path Length Constraint: UNLIMITED Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key CertSign Crl Sign Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1 Critical: no Access Description: Method #0: ocsp Location #0: URIName: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca/ocsp 2.4. Signing CA certificate Extensions: Since this is RootCA it's SKI == AKI Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 0C:B1:8A:81:57:14:DD:F2:E8:9A:13:14:E7:CB:D4:EC: 88:4D:23:18 Identifier: Basic Constraints - 2.5.29.19 Critical: yes Is CA: yes Path Length Constraint: UNLIMITED Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key CertSign Crl Sign Identifier: Subject Key Identifier - 2.5.29.14 Critical: no Key Identifier: 0C:B1:8A:81:57:14:DD:F2:E8:9A:13:14:E7:CB:D4:EC: 88:4D:23:18 Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1 Critical: no Access Description: Method #0: ocsp Location #0: URIName: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca/ocsp 3. Perform the last step where we need to do External CA installation. pkispawn -f ca_2.cfg -s CA -vvv This should give a successful installation. 4. Stop the ExternalCA process.Change the cipher and restart. 5. Make sure you are able to sign the certificate. ========================================================================================================================================== ExternalCA with nssdb:: SECret.123 SECret.456 1. Self signed ExternalCA certificate of nssdb(external.crt) with no SKI: Usage of SKI is optional in case of self signed certificate. Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: Certificate Sign 2. Ca signing certificate signed by the External.crt X509v3 extensions: Authority Information Access: OCSP - URI:http://pki1.example.com:8080/ca/ocsp X509v3 Subject Key Identifier: 9C:56:A5:59:82:99:BE:2E:BF:6A:64:BF:67:1F:18:36:43:F3:12:8F X509v3 Authority Key Identifier: 0. X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Certificate Sign, CRL Sign 3. Proceed with step 2 installation. User Signed certificate extension Extensions: Identifier: Authority Key Identifier - 2.5.29.35 Critical: no Key Identifier: 9C:56:A5:59:82:99:BE:2E:BF:6A:64:BF:67:1F:18:36: 43:F3:12:8F Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1 Critical: no Access Description: Method #0: ocsp Location #0: URIName: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:27080/ca/ocsp Identifier: Key Usage: - 2.5.29.15 Critical: yes Key Usage: Digital Signature Non Repudiation Key Encipherment Identifier: Extended Key Usage: - 2.5.29.37 Critical: no Extended Key Usage: 1.3.6.1.5.5.7.3.2 1.3.6.1.5.5.7.3.4 ================================================================================================================================== Any two-step externally-signed CA installation is sufficient to trigger the bug, so the above is sufficient. Moving bug to verified Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 |