Bug 1581135
Summary: | SAN in internal SSL server certificate in pkispawn configuration step [rhel-7.5.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Oneata Mircea Teodor <toneata> |
Component: | pki-core | Assignee: | Christina Fu <cfu> |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
Priority: | high | ||
Version: | 7.6 | CC: | cfu, enewland, mharmsen, msauton, ssidhaye |
Target Milestone: | rc | Keywords: | FutureFeature, TestCaseProvided, ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pki-core-10.5.1-12.el7_5 | Doc Type: | Enhancement |
Doc Text: |
With this update, Certificate System adds the Subject Alternative Name (SAN) extension by default to server certificates and sets it to the Common Name (CN) of the certificate.
|
Story Points: | --- |
Clone Of: | 1562423 | Environment: | |
Last Closed: | 2018-06-26 16:47:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1562423 | ||
Bug Blocks: |
Description
Oneata Mircea Teodor
2018-05-22 08:33:49 UTC
Christina Fu 2018-05-18 21:35:12 EDT Test Procedure: * Install a CA (with single step pkispawn is good): When complete, check that its SSL server cert bears the Subject Alternative Name (SAN) extension that matches the CN of the cert. * Install a KRA (on a separate Tomcat instance; (with single step pkispawn is good)): When complete, check that its SSL SSL server cert bears the Subject Alternative Name (SAN) extension that matches the CN of the cert. * You could test install another subsystem (e.g. subCA) and do the same check. It should be enough, as far as installation goes. * Since I changed all *Server* profiles (not limited to the *InternalAuthServerCert* ones), you can manually test those too. * Note that it appears that I have added the changes to the caCMC*server* ones previously. You could go through CMC enrollment procedure and check them as well. commit 7eae0d840c1b7494db2cea67744366fe409eafea (HEAD -> DOGTAG_10_5_BRANCH, ori gin/DOGTAG_10_5_BRANCH) Author: Christina Fu <cfu> Date: Thu May 17 19:36:10 2018 -0700 Ticket #2995 SAN in internal SSL server certificate in pkispawn configuratio n step This patch adds CommonNameToSANDefault to all server profiles so that SAN will be placed in server certs by default. For more flexible SAN or multi-value SAN, SubjectAltNameExtDefault will have to be used instead. fixes: https://pagure.io/dogtagpki/issue/2995 Change-Id: I66556f2cb8ed4e1cbe2d0949c5848c6978ea9641 Build used for verification: [root@pki1 ~]# rpm -qi pki-base Name : pki-base Version : 10.5.1 Release : 12.el7_5 Architecture: noarch Install Date: Thursday 24 May 2018 11:50:10 PM EDT Group : System Environment/Base Size : 2121862 License : GPLv2 Signature : (none) Source RPM : pki-core-10.5.1-12.el7_5.src.rpm Build Date : Wednesday 23 May 2018 11:58:47 AM EDT Build Host : ppc-021.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - PKI Framework Certificate information for CA Subject: CN=pki1.example.com,OU=topology-02-CA,O=topology-02_Foobarmaster.org Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: DNSName: pki1.example.com =========================== Certificate information for KRA Subject: CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: DNSName: pki1.example.com ============================== Certificate information for Sub CA Subject: CN=pki1.example.com,OU=topology-02-Sub-CA,O=topology-02_Foobarmaster.org Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: DNSName: pki1.example.com Certificate information using CMC enrollment: Subject: CN=nocp4.idm.lab.eng.rdu2.redhat.com,OU=pki-tomcate,O=mySecurityDomain Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: DNSName: nocp4.idm.lab.eng.rdu2.redhat.com Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1979 |