Bug 722634

Summary: Add client usage flag to caIPAserviceCert
Product: Red Hat Enterprise Linux 6 Reporter: Andrew Wnuk <awnuk>
Component: pki-coreAssignee: Andrew Wnuk <awnuk>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: awnuk, benl, dpal, jgalipea, mharmsen, rcritten, shaines
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-9.0.3-11.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 719113 Environment:
Last Closed: 2011-12-06 16:29:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 719113    
Bug Blocks:    
Attachments:
Description Flags
proposed patch
mharmsen: review+
spec file for pki-core-9.0.3-11.el6 none

Description Andrew Wnuk 2011-07-16 00:20:19 UTC 
+++ This bug was initially created as a clone of Bug #719113 +++

Description of problem:

We want IPA server certificates to be usable as client certificates as well so a host can use it to authenticate itself. Please add the client cert flag to the IPA service cert profile.
Comment 2 Andrew Wnuk 2011-07-22 00:05:49 UTC 
Created attachment 514598 [details]
proposed patch
Comment 3 Andrew Wnuk 2011-07-22 00:41:21 UTC 
IPA_v2_RHEL_6_ERRATA_BRANCH:
svn commit pki/base/ca/shared/profiles/ca/caIPAserviceCert.cfg
Sending        pki/base/ca/shared/profiles/ca/caIPAserviceCert.cfg
Transmitting file data .
Committed revision 2074.
Comment 4 Andrew Wnuk 2011-07-22 17:35:57 UTC 
svn commit
Adding         patches/pki-core-9.0.3-r2074.patch
Sending        specs/pki-core.spec
Transmitting file data ..
Committed revision 2075.
Comment 5 Andrew Wnuk 2011-07-22 17:39:38 UTC 
Published patch to http://pki.fedoraproject.org/pki/sources/pki-core/
Comment 7 Matthew Harmsen 2011-07-22 18:28:34 UTC 
Created attachment 514764 [details]
spec file for pki-core-9.0.3-11.el6

Sent the following request to release-engineering:

Subject: Request to build pki-core-9.0.3-11.el6 for RHEL 6 in Brew . . .

We would like to request an official build of 'pki-core-9.0.3-11.el6' 
for RHEL 6.2 in Brew per the following bug:

    * Bugzilla Bug #722634 - Add client usage flag to caIPAserviceCert

The official source tarball and all associated patches are located at:

    * http://pki.fedoraproject.org/pki/sources/pki-core/

and include the following:

    * pki-core-9.0.3.tar.gz
    * pki-core-9.0.3-r1846.patch
    * pki-core-9.0.3-r1860.patch
    * pki-core-9.0.3-r1862.patch
    * pki-core-9.0.3-r1864.patch
    * pki-core-9.0.3-r1875.patch
    * pki-core-9.0.3-r1879.patch
    * pki-core-9.0.3-r1886.patch
    * pki-core-9.0.3-r1908.patch
    * pki-core-9.0.3-r2074.patch

The updated official spec file is attached.
Comment 10 Jenny Severance 2011-09-28 18:43:53 UTC 
verified:

# cat /usr/share/pki/ca/profiles/ca/caIPAserviceCert.cfg | grep "policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2"
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2


version:
ipa-server-2.1.1-4.el6.x86_64
Comment 11 errata-xmlrpc 2011-12-06 16:29:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1655.html