Bug 694152

Summary: certmonger does not generates certificate on providing correct PIN with 'getcert resubmit'
Product: Red Hat Enterprise Linux 6 Reporter: Kaleem <ksiddiqu>
Component: certmongerAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED DEFERRED QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.1CC: dpal, kchamart
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
As a workaround, certmonger can be told to stop attempting to do anything with the key and certificate by using the "getcert stop-tracking" command to remove the request, and then by using the "getcert request" command to re-add it with the correct PIN value.
 Story Points: ---
Clone Of:
: 694184 (view as bug list) Environment:
Last Closed: 2011-04-06 17:26:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 694184    

Description Kaleem 2011-04-06 15:29:39 UTC 
Description of problem:
certmonger does not generates certificate on providing correct PIN with 'getcert resubmit'. 


Version-Release number of selected component (if applicable):
certmonger-0.40-1.el6.x86_64

How reproducible:
first try to issue a certificate request with incorrect NSS database PIN and then provide correct PIN with 'getcert resubmit'.


Steps to Reproduce:
1.install certmonger.

2.start certmonger service.

3.Change NSS database password to some string from default(null) one.

[root@mars ~]# certutil -W -d /tmp/kaleem/ .
Enter Password or Pin for "NSS Certificate DB":
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:
Password changed successfully.
[root@mars ~]#

4.issue a certificate request with incorrect pin of NSS database.

[root@mars ~]# getcert request -d /tmp/kaleem/ -n test -c SelfSign -P
"incorrect"
New signing request "20110406040229" added.
[root@mars ~]# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20110406040229':
status: NEWLY_ADDED_NEED_KEYI_READ_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/tmp/kaleem',nickname=test,pin=incorrect
certificate: type=NSSDB,location='/tmp/kaleem',nickname=test
CA: SelfSign
issuer:
subject:
expires: unknown
track: yes
auto-renew: yes
[root@mars ~]#

5.resubmit the request of step 3 with correct NSS database PIN.

[root@mars ~]# getcert resubmit -d /tmp/kaleem/ -n test -c SelfSign -P
"temp123#"
Resubmitting "20110406040229" to "SelfSign".
[root@mars ~]# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20110406040229':
status: NEED_CSR
stuck: no
key pair storage:
type=NSSDB,location='/tmp/kaleem',nickname=test,pin=temp123#
certificate: type=NSSDB,location='/tmp/kaleem',nickname=test
CA: SelfSign
issuer:
subject:
expires: unknown
track: yes
auto-renew: yes
[root@mars ~]#

Status is now "NEED_CSR".
  
Actual results:
Request status is shown as "NEED_CSR"

Expected results:
Request status should be "MONITORING" which means certificate should have been generated.
Comment 2 RHEL Program Management 2011-04-06 15:43:58 UTC 
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 3 Nalin Dahyabhai 2011-04-06 17:18:13 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
As a workaround, certmonger can be told to stop attempting to do anything with the key and certificate by using the "getcert stop-tracking" command to remove the request, and then by using the "getcert request" command to re-add it with the correct PIN value.