Bug 1550742

Summary: Address ECC profile overrides
Product: Red Hat Enterprise Linux 7 Reporter: Christina Fu <cfu>
Component: pki-coreAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.6CC: akahat, edewata, mharmsen, mmuehlfe, msauton
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.9-2.el7 Doc Type: Enhancement
Doc Text:
Certificate System automatically applies ECC profiles when setting up root CA with ECC certificates This update enhances Certificate System to automatically apply ECC profiles when setting up a new root CA with ECC profiles using the *pkispawn* utility. As a result, administrators no longer have to set the profile overwrite parameters for ECC certificates as a workaround in the configuration file passed to *pkispawn* when setting up a root CA.
 Story Points: ---
Clone Of:
: 1596525 (view as bug list) Environment:
Last Closed: 2018-10-30 11:05:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1547802, 1596525    

Description Christina Fu 2018-03-01 23:38:36 UTC 
Description of problem:
During installation, pkispawn should distinguish RSA form ECC and point them to the respective set of enrollment profiles.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 3 Matthew Harmsen 2018-03-14 16:39:50 UTC 
This bug is meant to address the workaround documented at the following URL:

* http://pki.fedoraproject.org/wiki/PKI_10.5_Pkispawn_ECC_Profile_Workaround
Comment 4 Matthew Harmsen 2018-05-04 22:50:13 UTC 
 Per RHEL 7.5.z/7.6/8.0 Triage:  7.5.z
Comment 5 Christina Fu 2018-06-28 16:18:47 UTC 
https://review.gerrithub.io/c/dogtagpki/pki/+/417084

commit 9a8e54ab9a8f1192c240639c42f8a744160a8ef8 (HEAD -> master, origin/master, origin/HEAD, ticket-2959-pkispawn-EC-profiles-master)
Author: Christina Fu <cfu>
Date:   Wed Jun 27 15:04:57 2018 -0700

    Ticket #2959 Address pkispawn ECC profile overrides
    
    This patch enables proper ECC profiles to be automatically applied during
    pkispawn.
    
    This patch would eliminate the need for the workaround documented here:
    http://www.dogtagpki.org/wiki/PKI_10.5_Pkispawn_ECC_Profile_Workaround
    
    The idea is to use the % replacement strings as part of the profile names
    in the default.cfg file for pkispawn,
    and change the profile names to mach the format. So for example:
    
    %(pki_admin_key_type)AdminCert.profile
    
    would either be translated to rsaAdminCert.profile or eccAdminCert.profile
    depending  on the value in pki_admin_key_type
    
    fixes https://pagure.io/dogtagpki/issue/2959
Comment 8 Amol K 2018-08-14 05:57:50 UTC 
I tested this Bugzilla on 10.5.9-4.el7 version.

I tried it without a workaround. During the pkispawn it distinguishes between the RSA and EC profiles. 

After the successful installation, I'm able to see the admin, subsystem and Server certificate is generated as per the admin key type.

This Bugzilla working as expected.

Verifying this Bugzilla.
Comment 10 errata-xmlrpc 2018-10-30 11:05:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3195