Bug 1464549
Summary: | CC: Installation with CMC | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Christina Fu <cfu> |
Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | unspecified | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
Priority: | unspecified | ||
Version: | 7.4 | CC: | aadhikar, cfu, edewata, gkapoor, mharmsen, pasik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | pki-core-10.5.1-1.el7 | Doc Type: | Enhancement |
Doc Text: |
Certificate System supports installing CA, KRA, and OCSP subsystems with CMC
This enhancement provides a mechanism to install CA, KRA, or OCSP subsystems with Certificate Management over CMS (CMC). The installation will be done in two steps. The first step of the installation will generate the Certificate Signing Requests (CSR) for the system certificates. The CSRs can be used to issue the system certificates using CMC. The second step of the installation will use these system certificates and complete the subsystem installation.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-04-10 16:58:29 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Christina Fu
2017-06-23 18:08:46 UTC
note that the cmc system cert enrollment profiles have been pushed to Dogtag master. See Usage info here: http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29 Fixed in master: * https://github.com/dogtagpki/pki/commit/959db34796b4ed29618d3479150f88ae6062f6e7 * https://github.com/dogtagpki/pki/commit/eeeb8e05745ab90abe2b322ebd6804cc5a0c45bd * https://github.com/dogtagpki/pki/commit/3a7bfb28668076ed685f99ce67c4fab769204071 * https://github.com/dogtagpki/pki/commit/b98118f2776c38cb4a5d25ff39a65b2a474a0e00 * https://github.com/dogtagpki/pki/commit/d7fc48917736c271c7e3f7b9bc7172d82fa22de8 Docs: * http://pki.fedoraproject.org/wiki/Installing_CA_with_External_CA_Signing_Certificate * http://pki.fedoraproject.org/wiki/Installing_KRA_with_External_Certificates * http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates Test Environment: ================ rpm -qa pki-* pki-tests-CoreOS-dogtag-aakkiang-test-rhcs-1.0.8.20170618003302-0.noarch pki-console-10.5.1-2.el7pki.noarch pki-server-10.5.1-4.el7.noarch pki-ca-10.5.1-4.el7.noarch pki-tests-pki-tests-dogtag-20151005152014.66e7821-0.noarch pki-base-java-10.5.1-4.el7.noarch pki-tps-10.5.1-4.el7pki.x86_64 pki-core-debuginfo-10.5.1-4.el7pki.x86_64 pki-javadoc-10.5.1-1.el7.noarch pki-tests-CoreOS-dogtag-PKI_TEST_USER_ID-bbhavsar-1.0.8.RPM.IDENTIFIER-0.noarch pki-symkey-10.5.1-4.el7.x86_64 pki-tks-10.5.1-4.el7pki.noarch pki-tests-pki-tests-20150522165149.1561420-0.noarch pki-tools-10.5.1-4.el7.x86_64 pki-ocsp-10.5.1-4.el7pki.noarch pki-base-10.5.1-4.el7.noarch pki-kra-10.5.1-4.el7.noarch while testing for http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates get into https://bugzilla.redhat.com/show_bug.cgi?id=1520526. Please have a look. Bug #1520526 has been fixed. Please retest when the build becomes available. Thanks. Test Bits: ========= rpm -qa nss* pki-* jss* pki-tools-10.5.1-6.el7.x86_64 pki-ocsp-10.5.1-6.el7pki.noarch pki-javadoc-10.5.1-5.1.el7.noarch pki-base-10.5.1-6.el7.noarch pki-symkey-10.5.1-6.el7.x86_64 pki-server-10.5.1-6.el7.noarch pki-kra-10.5.1-6.el7.noarch pki-tks-10.5.1-6.el7pki.noarch pki-console-10.4.1-7.el7pki.noarch pki-core-debuginfo-10.5.1-5.1.el7pki.x86_64 jss-4.4.0-11.el7.x86_64 pki-base-java-10.5.1-6.el7.noarch pki-ca-10.5.1-6.el7.noarch pki-tps-10.5.1-6.el7pki.x86_64 Testing: ======== Test case 1: http://pki.fedoraproject.org/wiki/Installing_CA_with_External_CA_Signing_Certificate ------------------------------------------------------------------------------------------------- -- This is tested with HSM soft-token because thales HSM is failing because of https://bugzilla.redhat.com/show_bug.cgi?id=1535797 currently. Testing config's for ExternalCA with CMC is attached along with logs. After installation verification is done by signing a caUsercert. [root@csqa4-guest04 75_cfg_working]# pki -p 31080 -d /tmp/test -c SECret.123 -n "PKI CA Administrator" ca-cert-request-review 6 --action approve WARNING: UNTRUSTED ISSUER encountered on 'CN=csqa4-guest04.idm.lab.eng.rdu.redhat.com,OU=pki-ExternalCA-gkapoor00,O=idm.lab.eng.rdu.redhat.com Security Domain' indicates a non-trusted CA cert 'CN=CA Signing Certificate,OU=pki-ExternalCA-gkapoor00,O=idm.lab.eng.rdu.redhat.com Security Domain' Import CA certificate (Y/n)? Y CA server URI [http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca]: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:31080/ca ------------------------------ Approved certificate request 6 ------------------------------ Request ID: 6 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x6 pki -p 31080 -d /tmp/test -c SECret.123 -n "PKI CA Administrator" ca-user-find ----------------- 3 entries matched ----------------- User ID: CA-csqa4-guest04.idm.lab.eng.rdu.redhat.com-31443 Full name: CA-csqa4-guest04.idm.lab.eng.rdu.redhat.com-31443 User ID: caadmin Full name: caadmin User ID: pkidbuser Full name: pkidbuser ---------------------------- Number of entries returned 3 ---------------------------- Test Case 2:http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates ----------------------------------------------------------------------------------------- Currently it is failing during OCSP installation. https://bugzilla.redhat.com/show_bug.cgi?id=1540687 If i find sometime i will try to debug it more. Test Case 3: http://pki.fedoraproject.org/wiki/Installing_KRA_with_External_Certificates ---------------------------------------------------------------------------------------- Since this part was tested by Akshay I will let him update status on this. Testing is done as mentioned above in comment 8 but there are few failures for which bugs have been raised.Without testing below, we can't consider testing complete for this feature. 1. https://bugzilla.redhat.com/show_bug.cgi?id=1540687 2. https://bugzilla.redhat.com/show_bug.cgi?id=1544843 KRA is tested based on CC setup instructions. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0925 The information has already provided. |