Bug 1656297
Summary: | Unable to install with admin-generated keys [rhel-7.6.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | RAD team bot copy to z-stream <autobot-eus-copy> |
Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
Priority: | high | ||
Version: | 7.5 | CC: | aakkiang, cpelland, edewata, lmiksik, mharmsen, msauton, rpattath |
Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pki-core-10.5.9-8.el7_6 | Doc Type: | Enhancement |
Doc Text: |
Previously, during a Certificate System installation, the pkispawn utility only supported creating new keys and importing existing keys for system certificates. With this enhancement, pkispawn now supports using keys the administrator generates directly in the NSS database during certificate authority (CA), key recovery authority (KRA), and online certificate status protocol (OCSP) installations.
|
Story Points: | --- |
Clone Of: | 1616134 | Environment: | |
Last Closed: | 2019-01-29 17:21:57 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1616134 | ||
Bug Blocks: |
Description
RAD team bot copy to z-stream
2018-12-05 07:53:56 UTC
Test Procedure: See https://bugzilla.redhat.com/show_bug.cgi?id=1616134#c5 DOGTAG_10_5_9_RHEL_BRANCH: commit 0115c05727962dac2bdb3865388144315719a0b0 Author: Endi S. Dewata <edewata> Date: Fri Aug 24 03:36:15 2018 +0200 Added docs for installation with custom keys https://pagure.io/dogtagpki/issue/3053 Change-Id: I8f8fdbb7cc1888092bd7ba686a626137113ed2d5 (cherry picked from commit a8405a1f8bd4c3fd10213725a32da0419e622252) commit 4886a7f4fa3678cd26c7c38c5140784dc53b76b5 Author: Endi S. Dewata <edewata> Date: Tue Oct 2 18:11:43 2018 +0200 Updated pki-server subsystem-cert-validate output The pki-server subsystem-cert-validate CLI has been modified to show the actual message generated by NSS if the validation fails. (cherry picked from commit eb8baf8b51e3c897caddbc16df2fd226308a0876) commit a3d27ed43b9c119cfaff100573d89c2caa08e3b7 Author: Endi S. Dewata <edewata> Date: Fri Sep 7 16:32:47 2018 +0200 Fixed password generation in pkispawn Previously the NSS database passwords were generated in pkiparser.py. Under certain scenarios the password may be overwritten by a subsequent code in pkispawn. To avoid the problem the code that generates the NSS database passwords has been moved into the initialization scriptlet. https://pagure.io/dogtagpki/issue/3061 Change-Id: Ieabfaea7465b615f214820d2ed877f4da589dadb (cherry picked from commit 9a984ee0a709645fe9b6044367ed28076692ee86) commit ea9b582909d10d8f6c485860615319b6f6c31741 Author: Endi S. Dewata <edewata> Date: Fri Aug 31 00:32:44 2018 +0200 Renamed server NSS database parameters The following parameters have been renamed for consistency: * pki_database_path -> pki_server_database_path * pki_pin -> pki_server_database_password The old parameters are still usable but they have been deprecated. The pki_client_pin is redundant so it has been removed. https://pagure.io/dogtagpki/issue/3053 Change-Id: I243a01b360f573a16a160e9a415f786e38681603 (cherry picked from commit 80defb1b7602eb59f5ee817a76acac86490ce853) commit 6c7079adf8878a2c799cd716c3df9ec75816accd Author: Endi S. Dewata <edewata> Date: Thu Aug 23 06:10:44 2018 +0200 Fixed pki client-cert-import to accept PKCS #7 CA cert chain The NSSDatabase.add_cert() has been modified to accept both single certificates and PKCS #7 certificate chains in PEM format. The pki client-cert-import has been modified to support importing CA cert chain in PKCS #7 format. The Cert.parseCertificate() has been modified to parse PKCS #7 cert chain properly. https://pagure.io/dogtagpki/issue/3053 Change-Id: Ibeffcfa4915638df7b13a0cb6deb8c4afc775ca1 (cherry picked from commit 9cef57869f01e89653331c0e22c9d3bacf7744ce) commit e3b8099fb20b6806020bab1a1687340da643eacf Author: Endi S. Dewata <edewata> Date: Tue Aug 21 20:01:30 2018 +0200 Fixed messages for installation with custom keys The pkispawn has been modified to display the proper message for installation with custom keys where the CSRs will not be generated. https://pagure.io/dogtagpki/issue/3053 Change-Id: Ibd0ae62c88c2b10520231de3e485e305c715218c (cherry picked from commit e50f3b0b6034c2c18a0775f2e91fd2e5ea21678f) commit e2563b186203e5e89d281ff5c39ca182f62cfefa Author: Endi S. Dewata <edewata> Date: Tue Aug 21 01:03:11 2018 +0200 Added support for installation with custom CSRs The installation code has been modified to import custom CSRs for KRA and OCSP system certicates if provided. The CA installation already supports this functionality. https://pagure.io/dogtagpki/issue/3053 Change-Id: Ic6a7a462bf07f2ca07275a01fc04b8d194005188 (cherry picked from commit 88271a9b3d829669fb997ee6158081da18faed97) commit b9867142f4971a98b6c79ba16788db8829dfd79d Author: Endi S. Dewata <edewata> Date: Mon Aug 20 23:14:25 2018 +0200 Removed default CSR paths The default.cfg has been modified to remove default CSR paths. The verify_predefined_configuration_file_data() has been modified to no longer require CSR path parameters in the first step of external CA scenario. https://pagure.io/dogtagpki/issue/3053 Change-Id: Idef6849b8bd7ee00d13151e0de10357a1f1d9ef2 (cherry picked from commit f3dc6c79370d8b57362272c40bd9f67aaf791710) commit 2a0d9c8c8ee7333198a8f5cb09c988eeeb3d528f Author: Endi S. Dewata <edewata> Date: Wed Aug 22 00:02:03 2018 +0200 Updated pki.nssdb to support multiple CSR delimiters types The pki.nssdb module has been modified to support both standard and legacy CSR delimiters as defined in RFC 7468. https://pagure.io/dogtagpki/issue/3053 Change-Id: I609d640a66357f5293ff3a565027c1a395a47db7 (cherry picked from commit 8bf25507886c446594fa1bd82e3040ab79b271b3) CA, KRA, OCSP and KRA installation with admin generated keys for RSA and ECC is successful. Marking the bug verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0168 |