Bug 1579384
| Summary: | [RFE] add check for key usage Key Encipherment to katello-certs-check | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Paul Dudley <pdudley> |
| Component: | Certificates | Assignee: | Chris Roberts <chrobert> |
| Status: | CLOSED ERRATA | QA Contact: | Nikhil Kathole <nkathole> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.3.1 | CC: | bkearney, cdonnell, chrobert, jhutar, nkathole, pcreech, pdudley |
| Target Milestone: | 6.4.0 | Keywords: | FutureFeature, PrioBumpGSS |
| Target Release: | Unused | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| URL: | https://projects.theforeman.org/issues/22598 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-16 15:30:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Paul Dudley
2018-05-17 14:02:58 UTC
VERIFIED
Version tested:
Satellite 6.4 snap 17
# openssl x509 -text -in server.valid.crt -noout | grep -A1 "Key Usage"
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
Checking server certificate's encoding: [OK]
Checking expiration of certificate: [OK]
Checking expiration of CA bundle: [OK]
Checking if server cert has CA:TRUE flag[OK]
Validating the certificate subject= /C=IN/ST=Maharashtra/L=Pune/O=redhat/OU=QE/CN=xyz/emailAddress=administrator
Checking to see if the private key matches the certificate: [OK]
Checking ca bundle against the cert file: [OK]
Checking Subject Alt Name on certificate[OK]
Checking Key Usage extension on certificate for Key Encipherment[OK]
Validation succeeded.
To install the Katello main server with the custom certificates, run:
satellite-installer --scenario satellite\
--certs-server-cert "/root/server.valid.crt"\
--certs-server-key "/root/server.key"\
--certs-server-ca-cert "/root/rootCA.pem"
To update the certificates on a currently running Katello installation, run:
satellite-installer --scenario satellite\
--certs-server-cert "/root/server.valid.crt"\
--certs-server-key "/root/server.key"\
--certs-server-ca-cert "/root/rootCA.pem"\
--certs-update-server --certs-update-server-ca
To use them inside a NEW $FOREMAN_PROXY, run this command:
capsule-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\
--certs-tar "~/$FOREMAN_PROXY-certs.tar"\
--server-cert "/root/server.valid.crt"\
--server-key "/root/server.key"\
--server-ca-cert "/root/rootCA.pem"\
To use them inside an EXISTING $FOREMAN_PROXY, run this command INSTEAD:
capsule-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\
--certs-tar "~/$FOREMAN_PROXY-certs.tar"\
--server-cert "/root/server.valid.crt"\
--server-key "/root/server.key"\
--server-ca-cert "/root/rootCA.pem"\
--certs-update-server
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2927 |