Bug 798054

Summary: GNUtls needs to support PKCS#8 files, automatically
Product: Red Hat Enterprise Linux 6 Reporter: Erinn Looney-Triggs <erinn.looneytriggs>
Component: gnutlsAssignee: Tomas Mraz <tmraz>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2   
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-28 21:08:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Erinn Looney-Triggs 2012-02-27 22:48:12 UTC 
Description of problem:
certmonger issues files in PKCS #8 format by default on RHEL 6 (5 as well I believe but haven't tested) hosts, when tied in via IPA to a PKI infrastructure that means all you are getting is PKCS #8 format (unless there are controls in certmonger I am overlooking). Programs such as rsyslog can't handle PKCS#8 format, because the version of gnutls in RHEL 6 doesn't support automatic handling of those certificates. This problem was fixed in gnutls 2.12.0, so a backport would be necessary. 

Or certmonger needs to be fixed to allow the default format to be changed.

Version-Release number of selected component (if applicable):

gnutls-2.8.5-4.el6.x86_64
certmonger-0.50-3.el6.x86_64

How reproducible:
Use ipa-getcert or any other cermonger front end (selfsign-getcert works as well) to generate a key and a certificate. Attempt to load said items with a program like rsyslog, rsyslog will no longer crash (that bug was fixed) but it won't be able to open the certificates (actually just the key is the problem). 

A bit of a reference is this thread:
https://lists.gnu.org/archive/html/help-gnutls/2011-10/msg00004.html
Comment 1 Erinn Looney-Triggs 2012-02-27 23:00:28 UTC 
gbutls-cli also works as a good test of how it (erm) doesn't work:

gnutls-cli --x509cafile /etc/pki/certmaster/ca.cert --x509keyfile
foo.example.com.pem --x509certfile foo.example.com.cert -p 514
bar.example.com

Make sure the key file is in pkcs 8 format.
Comment 2 Tomas Mraz 2012-02-28 21:08:33 UTC 

*** This bug has been marked as a duplicate of bug 745242 ***