Bug 1859812
| Summary: | Certificates should have "Server Authentication" purpose in ExtendedKeyUsage, and "CA:TRUE" | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Martin Pitt <mpitt> |
| Component: | cockpit | Assignee: | Martin Pitt <mpitt> |
| Status: | CLOSED ERRATA | QA Contact: | Jan Ščotka <jscotka> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | --- | CC: | sgrubb |
| Target Milestone: | rc | Keywords: | Rebase |
| Target Release: | 8.3 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 01:53:29 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (cockpit bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4511 |
Description of problem: According to Common Criteria, Server certificates presented for TLS shall have the Server Authentication· purpose (id-kp 1 with OID 1.3.6.1.5.5.7.3.1) in the extendedKeyUsage field. but our self-signed certificate does not have an EKU field, and not even a keyUsage. In addition, as it's a self-signed certificate it should probably also have X509v3 Basic Constraints: CA:TRUE as it acts as its own CA. CC'ing Steve Grubb for confirming. Compare this with sscg's certificates, which are much more complete. They are still missing EKU, though (see bug 1859810).