Bug 1656297

Summary: Unable to install with admin-generated keys [rhel-7.6.z]
Product: Red Hat Enterprise Linux 7 Reporter: RAD team bot copy to z-stream <autobot-eus-copy>
Component: pki-coreAssignee: Endi Sukma Dewata <edewata>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 7.5CC: aakkiang, cpelland, edewata, lmiksik, mharmsen, msauton, rpattath
Target Milestone: rcKeywords: TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.9-8.el7_6 Doc Type: Enhancement
Doc Text:
Previously, during a Certificate System installation, the pkispawn utility only supported creating new keys and importing existing keys for system certificates. With this enhancement, pkispawn now supports using keys the administrator generates directly in the NSS database during certificate authority (CA), key recovery authority (KRA), and online certificate status protocol (OCSP) installations.
 Story Points: ---
Clone Of: 1616134 Environment:
Last Closed: 2019-01-29 17:21:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1616134    
Bug Blocks:    

Description RAD team bot copy to z-stream 2018-12-05 07:53:56 UTC 
This bug has been copied from bug #1616134 and has been proposed to be backported to 7.6 z-stream (EUS).
Comment 2 Matthew Harmsen 2018-12-05 15:42:13 UTC 
Test Procedure:

See https://bugzilla.redhat.com/show_bug.cgi?id=1616134#c5
Comment 3 Matthew Harmsen 2018-12-05 19:11:00 UTC 
DOGTAG_10_5_9_RHEL_BRANCH:

commit 0115c05727962dac2bdb3865388144315719a0b0
Author: Endi S. Dewata <edewata>
Date:   Fri Aug 24 03:36:15 2018 +0200

    Added docs for installation with custom keys
    
    https://pagure.io/dogtagpki/issue/3053
    
    Change-Id: I8f8fdbb7cc1888092bd7ba686a626137113ed2d5
    (cherry picked from commit a8405a1f8bd4c3fd10213725a32da0419e622252)

commit 4886a7f4fa3678cd26c7c38c5140784dc53b76b5
Author: Endi S. Dewata <edewata>
Date:   Tue Oct 2 18:11:43 2018 +0200

    Updated pki-server subsystem-cert-validate output
    
    The pki-server subsystem-cert-validate CLI has been modified to
    show the actual message generated by NSS if the validation fails.
    
    (cherry picked from commit eb8baf8b51e3c897caddbc16df2fd226308a0876)

commit a3d27ed43b9c119cfaff100573d89c2caa08e3b7
Author: Endi S. Dewata <edewata>
Date:   Fri Sep 7 16:32:47 2018 +0200

    Fixed password generation in pkispawn
    
    Previously the NSS database passwords were generated in
    pkiparser.py. Under certain scenarios the password may be
    overwritten by a subsequent code in pkispawn. To avoid the
    problem the code that generates the NSS database passwords
    has been moved into the initialization scriptlet.
    
    https://pagure.io/dogtagpki/issue/3061
    
    Change-Id: Ieabfaea7465b615f214820d2ed877f4da589dadb
    (cherry picked from commit 9a984ee0a709645fe9b6044367ed28076692ee86)

commit ea9b582909d10d8f6c485860615319b6f6c31741
Author: Endi S. Dewata <edewata>
Date:   Fri Aug 31 00:32:44 2018 +0200

    Renamed server NSS database parameters
    
    The following parameters have been renamed for consistency:
    * pki_database_path -> pki_server_database_path
    * pki_pin -> pki_server_database_password
    
    The old parameters are still usable but they have been
    deprecated.
    
    The pki_client_pin is redundant so it has been removed.
    
    https://pagure.io/dogtagpki/issue/3053
    
    Change-Id: I243a01b360f573a16a160e9a415f786e38681603
    (cherry picked from commit 80defb1b7602eb59f5ee817a76acac86490ce853)

commit 6c7079adf8878a2c799cd716c3df9ec75816accd
Author: Endi S. Dewata <edewata>
Date:   Thu Aug 23 06:10:44 2018 +0200

    Fixed pki client-cert-import to accept PKCS #7 CA cert chain
    
    The NSSDatabase.add_cert() has been modified to accept both single
    certificates and PKCS #7 certificate chains in PEM format.
    
    The pki client-cert-import has been modified to support importing
    CA cert chain in PKCS #7 format.
    
    The Cert.parseCertificate() has been modified to parse PKCS #7
    cert chain properly.
    
    https://pagure.io/dogtagpki/issue/3053
    
    Change-Id: Ibeffcfa4915638df7b13a0cb6deb8c4afc775ca1
    (cherry picked from commit 9cef57869f01e89653331c0e22c9d3bacf7744ce)

commit e3b8099fb20b6806020bab1a1687340da643eacf
Author: Endi S. Dewata <edewata>
Date:   Tue Aug 21 20:01:30 2018 +0200

    Fixed messages for installation with custom keys
    
    The pkispawn has been modified to display the proper message
    for installation with custom keys where the CSRs will not be
    generated.
    
    https://pagure.io/dogtagpki/issue/3053
    
    Change-Id: Ibd0ae62c88c2b10520231de3e485e305c715218c
    (cherry picked from commit e50f3b0b6034c2c18a0775f2e91fd2e5ea21678f)

commit e2563b186203e5e89d281ff5c39ca182f62cfefa
Author: Endi S. Dewata <edewata>
Date:   Tue Aug 21 01:03:11 2018 +0200

    Added support for installation with custom CSRs
    
    The installation code has been modified to import custom
    CSRs for KRA and OCSP system certicates if provided. The
    CA installation already supports this functionality.
    
    https://pagure.io/dogtagpki/issue/3053
    
    Change-Id: Ic6a7a462bf07f2ca07275a01fc04b8d194005188
    (cherry picked from commit 88271a9b3d829669fb997ee6158081da18faed97)

commit b9867142f4971a98b6c79ba16788db8829dfd79d
Author: Endi S. Dewata <edewata>
Date:   Mon Aug 20 23:14:25 2018 +0200

    Removed default CSR paths
    
    The default.cfg has been modified to remove default CSR paths.
    
    The verify_predefined_configuration_file_data() has been modified
    to no longer require CSR path parameters in the first step of
    external CA scenario.
    
    https://pagure.io/dogtagpki/issue/3053
    
    Change-Id: Idef6849b8bd7ee00d13151e0de10357a1f1d9ef2
    (cherry picked from commit f3dc6c79370d8b57362272c40bd9f67aaf791710)

commit 2a0d9c8c8ee7333198a8f5cb09c988eeeb3d528f
Author: Endi S. Dewata <edewata>
Date:   Wed Aug 22 00:02:03 2018 +0200

    Updated pki.nssdb to support multiple CSR delimiters types
    
    The pki.nssdb module has been modified to support both standard
    and legacy CSR delimiters as defined in RFC 7468.
    
    https://pagure.io/dogtagpki/issue/3053
    
    Change-Id: I609d640a66357f5293ff3a565027c1a395a47db7
    (cherry picked from commit 8bf25507886c446594fa1bd82e3040ab79b271b3)
Comment 7 Asha Akkiangady 2019-01-18 18:41:27 UTC 
CA, KRA, OCSP and KRA installation with admin generated keys for RSA and ECC is successful.

Marking the bug verified.
Comment 9 errata-xmlrpc 2019-01-29 17:21:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0168