Bug 1581135

Summary: SAN in internal SSL server certificate in pkispawn configuration step [rhel-7.5.z]
Product: Red Hat Enterprise Linux 7 Reporter: Oneata Mircea Teodor <toneata>
Component: pki-coreAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 7.6CC: cfu, enewland, mharmsen, msauton, ssidhaye
Target Milestone: rcKeywords: FutureFeature, TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.1-12.el7_5 Doc Type: Enhancement
Doc Text:
With this update, Certificate System adds the Subject Alternative Name (SAN) extension by default to server certificates and sets it to the Common Name (CN) of the certificate.
 Story Points: ---
Clone Of: 1562423 Environment:
Last Closed: 2018-06-26 16:47:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1562423    
Bug Blocks:    

Description Oneata Mircea Teodor 2018-05-22 08:33:49 UTC 
This bug has been copied from bug #1562423 and has been proposed to be backported to 7.5 z-stream (EUS).
Comment 2 Matthew Harmsen 2018-05-22 14:25:29 UTC 
 Christina Fu 2018-05-18 21:35:12 EDT

Test Procedure:

* Install a CA (with single step pkispawn is good): When complete, check that its SSL server cert bears the Subject Alternative Name (SAN) extension that matches the CN of the cert.

* Install a KRA (on a separate Tomcat instance; (with single step pkispawn is good)): When complete, check that its SSL SSL server cert bears the Subject Alternative Name (SAN) extension that matches the CN of the cert.

* You could test install another subsystem (e.g. subCA) and do the same check.
It should be enough, as far as installation goes.

* Since I changed all *Server* profiles (not limited to the
   *InternalAuthServerCert* ones), you can manually test those too.

* Note that it appears that I have added the changes to the caCMC*server* ones previously.  You could go through CMC enrollment procedure and check them as well.
Comment 3 Matthew Harmsen 2018-05-22 14:49:21 UTC 
commit 7eae0d840c1b7494db2cea67744366fe409eafea (HEAD -> DOGTAG_10_5_BRANCH, ori
gin/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu>
Date:   Thu May 17 19:36:10 2018 -0700

    Ticket #2995 SAN in internal SSL server certificate in pkispawn configuratio
n step
    
    This patch adds CommonNameToSANDefault to all server profiles so that
    SAN will be placed in server certs by default.
    For more flexible SAN or multi-value SAN, SubjectAltNameExtDefault
    will have to be used instead.
    
    fixes: https://pagure.io/dogtagpki/issue/2995
    
    Change-Id: I66556f2cb8ed4e1cbe2d0949c5848c6978ea9641
Comment 7 Sumedh Sidhaye 2018-05-29 05:22:17 UTC 
Build used for verification:

[root@pki1 ~]# rpm -qi pki-base
Name        : pki-base
Version     : 10.5.1
Release     : 12.el7_5
Architecture: noarch
Install Date: Thursday 24 May 2018 11:50:10 PM EDT
Group       : System Environment/Base
Size        : 2121862
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.5.1-12.el7_5.src.rpm
Build Date  : Wednesday 23 May 2018 11:58:47 AM EDT
Build Host  : ppc-021.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - PKI Framework



Certificate information for CA

Subject: CN=pki1.example.com,OU=topology-02-CA,O=topology-02_Foobarmaster.org


Identifier: Subject Alternative Name - 2.5.29.17
    Critical: no 
    Value: 
        DNSName: pki1.example.com


===========================


Certificate information for KRA

Subject: CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org

Identifier: Subject Alternative Name - 2.5.29.17
    Critical: no 
    Value: 
        DNSName: pki1.example.com


==============================


Certificate information for Sub CA

Subject: CN=pki1.example.com,OU=topology-02-Sub-CA,O=topology-02_Foobarmaster.org

Identifier: Subject Alternative Name - 2.5.29.17
    Critical: no 
    Value: 
        DNSName: pki1.example.com
Comment 8 Sumedh Sidhaye 2018-05-29 10:02:05 UTC 
Certificate information using CMC enrollment:

Subject: CN=nocp4.idm.lab.eng.rdu2.redhat.com,OU=pki-tomcate,O=mySecurityDomain

Identifier: Subject Alternative Name - 2.5.29.17
    Critical: no 
    Value: 
        DNSName: nocp4.idm.lab.eng.rdu2.redhat.com
Comment 10 errata-xmlrpc 2018-06-26 16:47:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1979