Bug 1588944

Summary: Cert validation for installation with external CA cert [rhel-7.5.z]
Product: Red Hat Enterprise Linux 7 Reporter: Oneata Mircea Teodor <toneata>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.6CC: edewata, ekeck, gkapoor, mharmsen
Target Milestone: rcKeywords: TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: pki-core-10.5.1-13.1.el7_5 Doc Type: Bug Fix
Doc Text:
The *pkispawn* utility now validates the path to external CA certificates during installation Previously, during the installation of Certificate System using an external certificate authority certificate, the *pkispawn* utility did not validate the path to the certificate. If the path was incorrect, the following error was logged in the CA's debug log: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: Unable to initialize, java.io.IOException: DerInput.getLength(): lengthTag=9, too big. With this update, *pkispawn* validates the path to the certificate. As a result, *pkispawn* now reports a meaningful error message.
Story Points: ---
Clone Of: 1588655 Environment:
Last Closed: 2018-06-26 16:47:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1588655    
Bug Blocks:    

Description Oneata Mircea Teodor 2018-06-08 07:28:24 UTC
This bug has been copied from bug #1588655 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 2 Matthew Harmsen 2018-06-08 15:49:29 UTC
Endi Sukma Dewata 2018-06-07 12:52:42 EDT

The fix is already available in 10.5 branch:

Comment 5 Geetika Kapoor 2018-06-13 17:26:58 UTC
Test Env:

rpm -qa pki-*

Test Steps:

1. perform 2 step external CA installation procedure and make sure it works .
2. With any failures in csr, certificate (ca_signing or external certificate) correct error message is logged.

Comment 7 errata-xmlrpc 2018-06-26 16:47:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.