Bug 2196889

Summary: Implement ServerSide KeyGen Password Complexity Checks for pkcs12
Product: Red Hat Certificate System Reporter: Chris Zinda <czinda>
Component: pki-coreAssignee: Marco Fargetta <mfargett>
Status: CLOSED ERRATA QA Contact: idm-cs-qe-bugs
Severity: medium Docs Contact:
Priority: unspecified    
Version: 11.1CC: aakkiang, dchen, edewata, mfargett, mharmsen, prisingh
Target Milestone: ---Keywords: MigratedToJIRA
Target Release: certsys-10.8   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: redhat-pki-10-8100020250213180344.f9354743 Doc Type: Enhancement
Doc Text:
Feature: Provide a password policy to enforce the password quality defined by the user during the enrolment with server side key generation. Reason: Required by customers to increase the security of exchanged PKCS12 with generated certificate and key. Result: The new policy is like: policyset.userCertSet.11.constraint.class_id=p12ExportPasswordConstraintImpl policyset.userCertSet.11.constraint.name=PKCS12 Password Constraint policyset.userCertSet.11.constraint.params.password.minSize=20 policyset.userCertSet.11.constraint.params.password.minUpperLetter=2 policyset.userCertSet.11.constraint.params.password.minLowerLetter=2 policyset.userCertSet.11.constraint.params.password.minNumber=2 policyset.userCertSet.11.constraint.params.password.minSpecialChar=2 policyset.userCertSet.11.constraint.params.password.seqLength=4 policyset.userCertSet.11.constraint.params.password.maxRepeatedChar=4 policyset.userCertSet.11.constraint.params.password.cracklibCheck=true policyset.userCertSet.11.default.class_id=noDefaultImpl policyset.userCertSet.11.default.name=No Default Default params can be configure in CS.cfg for all the password checks (using the prefix passwordChecker.*) and as default it has only the min size to 8.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2025-03-31 13:36:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Zinda 2023-05-10 16:53:14 UTC 
Description of problem:
Currently, the Red Hat SSKG via the serverKeygenInputImpl and the pkcs12OutputImpl allow for any password to be used for the generated p12 files.  Would like the ability to have a configurable option to force/enforce password complexity requirements for a user-provided password, or the ability to have a strong password generated and provided to the user upon submission to improve the security of the p12s with strong passwords.


Version-Release number of selected component (if applicable):
RHEL 8.x

How reproducible:
Very

Steps to Reproduce:
1. Configure SSKG - https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/planning_installation_and_deployment_guide/configuration_for_server-side_keygen
2. Test with a password of 1234

Actual results:
Allows pkcs12 to be created with weakened password

Expected results:
Desire a check for password comlpexity

Additional info:
Comment 1 Ding-Yi Chen 2023-05-14 23:48:32 UTC 
The bug is related to RHCS, thus product is set to Red Hat Certificate System
Comment 13 errata-xmlrpc 2025-03-31 13:36:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (CA bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2025:3401