Bug 1423504

Summary: [RFE] CSR should not be required when installing Satellite Server or generating Capsule certificate bundle
Product: Red Hat Satellite Reporter: Ian Tewksbury <itewksbu>
Component: CertificatesAssignee: Eric Helms <ehelms>
Status: CLOSED DUPLICATE QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2.6CC: ahumbe, arusso, bbuckingham, bkearney, msomasun, tbrisker
Target Milestone: UnspecifiedKeywords: FieldEngineering, FutureFeature, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-28 07:16:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ian Tewksbury 2017-02-17 13:18:48 UTC 
Description of problem:

Currently when providing custom signed certificates to either the `statellite-installer --scenario satellite` or the `capsule-certs-generate` they both require the CSR to be given either via `--certs-server-cert-req` or `--server-cert-req` respectively.

Even though the commands require a CSR to be given there is no reason to require the CSR and additionally so if you just pass a blank file everything works fine.

Therefor the requirement of specifying the CSR should be removed since it appears not to be used for anything and Satellite users do not always have access to the CSR.


Version-Release number of selected component (if applicable):

6.2.6

How reproducible:

Always

Steps to Reproduce:
1. Call statellite-installer --scenario satellite without --certs-server-cert-req when giving custom signed certificate
2. failure

or

1. Call statellite-installer --scenario satellite with empty file passed to --certs-server-cert-req when giving custom signed certificate
2. Succeeds

or

1. Call capsule-certs-generate --scenario satellite without --server-cert-req when giving custom signed certificate
2. failure

or

1. Call satellite-installer --scenario satellite with empty file passed to --server-cert-req when giving custom signed certificate
2. Succeeds

Actual results:

If giving a custom signed key/cert pair to the satellite-installer or capsule-certs-generate commands without passing the CSR the commands will fail.

If you pass empty CSR files in these cases they will succeed.


Expected results:

Since the CSR appears to do nothing, since an empty file can be given, this should not be a requirment of the satellite-installer or capsule-certs-generate commands when providing custom signed key/cert.

Additional Info:
A customer rain into this because their PKI team generates and signs CSRs based on given parameters and then only gives back the cert/key without the CSR. Since the CSR does not appear to actually be needed by Satellite then it should not be a required parameter.
Comment 2 Ashish Humbe 2017-08-28 03:41:02 UTC 
This bugzilla is duplicate of - https://bugzilla.redhat.com/show_bug.cgi?id=1233431
Comment 3 Tomer Brisker 2017-08-28 07:16:44 UTC 
Thank you Ashish, closing as duplicate.

*** This bug has been marked as a duplicate of bug 1233431 ***