Bug 2042448

Summary: Creation of self-signed certificates in FIPS mode fails
Product: Red Hat Enterprise Linux 9 Reporter: Alicja Kario <hkario>
Component: opensslAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED DUPLICATE QA Contact: Alicja Kario <hkario>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: dbelyavs, jpazdziora, sahana
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssl-3.0.1-4.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-18 13:18:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alicja Kario 2022-01-19 14:34:34 UTC 
Description of problem:
Creating self-signed certificates in FIPS mode fails with the openssl req command.

Version-Release number of selected component (if applicable):
openssl-3.0.1-1.el9.x86_64

How reproducible:
always

Steps to Reproduce:
1. Switch system to FIPS mode
2. openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch

Actual results:
..+......+...+.+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+.....+...+....+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+..+.+.....+....+...+...+............+..+.+..+.........+.+..+.......+.....+.........+.........+...+.......+..+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+.+..........................+.+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+......+..............+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+..+....+............+...+.........+.....+.......+......+...+......+......+..+...+...............+...+......+.+..+.+......+.....+...+......+.+...+.....+.+..+...+.+.........+...............+..+...+.+.....+.+............+.................+.....................+....+...+.....+......+......+.........+...............+....+...+.....+.......+...............+.....................+......+........+.+.....+.......+..+............+.+.........+.....+.+..+...+....+.........+.........+........+............+...+.......+...+..+...+.......+...+..+.+...........+...+.+..+...+.+.....+............................+..+.+..+.......+........+...+...+..........+............+...+......+.........+..+...+.......+..+...+....+..................+.....+.......+...+......+..+...+.+......+.....+............+......+......+.+.........+...+.....+......+......+................+..+...+....+.........+..+..........+.........+......+..+......+.+.........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
000C4878667F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (SHA1 : 91), Properties (<null>)
000C4878667F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:52:name=subjectKeyIdentifier, value=hash

Expected results:
key and cert created

Additional info:
This is likely caused by the subjectKeyIdentifier and authorityKeyIdentifier extensions in the certificate as they use sha-1 (after the RFC recommendation).
The property query for this use should use "-fips", as it's not security critical use.