Bug 1849834
Summary: | [RFE] Provide EST Responder (RFC 7030) | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Marc Sauton <msauton> | |
Component: | pki-core | Assignee: | Marco Fargetta <mfargett> | |
Status: | CLOSED ERRATA | QA Contact: | idm-cs-qe-bugs | |
Severity: | high | Docs Contact: | Jana Heves <jsvarova> | |
Priority: | high | |||
Version: | 9.0 | CC: | aakkiang, ckelley, czinda, dcain, edewata, fdelehay, ftweedal, jsvarova, mfargett, mharmsen, parmstro, pasik, pcech, skhandel, tvvcox, vashirov, vvanhaft, william.caban | |
Target Milestone: | rc | Keywords: | FutureFeature, Triaged | |
Target Release: | 9.1 | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | pki-core-11.3.0-0.2.beta1.el9 | Doc Type: | Enhancement | |
Doc Text: |
.Red Hat IdM and Certificate System now support the EST protocol
Enrollment over Secure Transport (EST) is a new Certificate System subsystem feature that is specified in RFC 7030 and it is used to provision certificates from a Certificate Authority (CA). EST implements the server side of the operation, such as `/getcacerts`, `/simpleenroll`, and `/simplereenroll`.
Note that Red Hat supports both EST and the original Simple Certificate Enrollment Protocol (SCEP) in Certificate System.
|
Story Points: | --- | |
Clone Of: | ||||
: | 2142893 2184522 (view as bug list) | Environment: | ||
Last Closed: | 2023-05-09 07:43:41 UTC | Type: | Feature Request | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2184522, 2142893 |
Description
Marc Sauton
2020-06-22 23:03:35 UTC
Upstream ticket: https://pagure.io/dogtagpki/issue/3180 Moving from RHEL 8 to RHEL 9 as SCEP over EST is not a priority for RHEL 8. Following up Comment 22... > I also coudn't enroll Cisco CSR 1000v, I suspect it also sends CSR request with PEM headers, but need to do traffic analysis to be 100% sure. The RFC is fairly clear about the expected format (base64-encoded DER, with or without wrappping, but without PEM header). But let's check what the Cisco thing actually sends. If it is indeed PEM, then we can (reluctantly) modify the server to accept this case. Regarding reenroll auth failures, we should pair and work through that together. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: pki-core security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:2293 |