Bug 1554726
| Summary: | Need ECC-specific Enrollment Profiles for standard conformance [rhel-7.5.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
| Component: | pki-core | Assignee: | Christina Fu <cfu> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | urgent | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | urgent | ||
| Version: | 7.6 | CC: | akahat, cfu, dsirrine, edewata, mharmsen, msauton |
| Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.5.1-11.el7 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, Certificate System used the same enrollment profiles for issuing RSA and ECC certificates. As a consequence, the key usage extension in issued certificates did not meet the Common Criteria standard. This update adds ECC-specific enrollment profiles where the key usage extension for TLS server and client certificates are different as described in RFC 6960. Additionally, the update changes existing profiles to issue only RSA certificates. As a result, the key usage extension in ECC certificates now meets the Common Criteria standard.
|
Story Points: | --- |
| Clone Of: | 1550739 | Environment: | |
| Last Closed: | 2018-06-26 16:47:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1550739, 1560225 | ||
| Bug Blocks: | |||
|
Description
Oneata Mircea Teodor
2018-03-13 08:56:57 UTC
cherry picked from commit 27cf99efe1e52249f226db24ef28b0990a654dd5 doc text was copied from: https://bugzilla.redhat.com/show_bug.cgi?id=1550739 commit 3e0f7dfac7c8ba0859aad6a082eb1659631e2620 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu>
Date: Thu Mar 29 09:59:02 2018 -0700
quick fix on wrong keyType in profile
Change-Id: I0fa90ebb559e0fb8af123191f7bc7cdedbc55d87
(cherry picked from commit 995682153e10393dc46f16090c26f28ca1b6cfc6)
commit 3e0f7dfac7c8ba0859aad6a082eb1659631e2620 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu>
Date: Thu Mar 29 09:59:02 2018 -0700
quick fix on wrong keyType in profile
Change-Id: I0fa90ebb559e0fb8af123191f7bc7cdedbc55d87
(cherry picked from commit 995682153e10393dc46f16090c26f28ca1b6cfc6)
commit 7b5a899e3d237e2be3bc1c7d9e4dd7613cdd9f24
Author: Christina Fu <cfu>
Date: Thu Mar 29 09:59:02 2018 -0700
quick fix on wrong keyType in profile
Change-Id: I0fa90ebb559e0fb8af123191f7bc7cdedbc55d87
(cherry picked from commit 995682153e10393dc46f16090c26f28ca1b6cfc6)
(cherry picked from commit 3e0f7dfac7c8ba0859aad6a082eb1659631e2620)
that sounds fine. thanks. I tested this BZ with pki 10.5.1-11.el7 version. It working as expected. Verifying this bug. *** Bug 1418693 has been marked as a duplicate of this bug. *** Testing procedure: * For installation, courtesy of Matt: http://pki.fedoraproject.org/wiki/PKI_10.5_Pkispawn_ECC_Profile_Workaround * For other profiles, just make sure the new or changed profiles are exercised. For example, for the CMC profiles (new or changed), just put that into the HttpClient config file under servlet. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1979 |