Bug 818714

Summary: [ipa webui] Instructions to generate cert should include specifying size of private key
Product: Red Hat Enterprise Linux 6 Reporter: Namita Soman <nsoman>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.2CC: jgalipea, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.0.0-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:12:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Namita Soman 2012-05-03 18:56:31 UTC 
Description of problem:
In the UI for Hosts and services, it provides instructions to generate a cert. 
Following the steps throws an error:
Certificate operation cannot be completed: unknown(3) (Request Rejected - Key Parameters 1024,2048,3072,4096 Not Matched)


The size of the private key, by default is 512. If a size of 1024 is specified, can generate a valid cert.
so steps taken were:
# openssl genrsa -out key.pem 1024
Generating RSA private key, 1024 bit long modulus
.........++++++
.............++++++
e is 65537 (0x10001)
[root@qe-blade-01 nk]# openssl req -new -key key.pem  -subj '/O=TESTRELM.COM/CN=qq.testrelm.com' -out cert.csr



Also - instead of using openssl, can the steps indicate using certutil, so that we use the nss db?

Version-Release number of selected component (if applicable):
ipa-server-2.2.0-12.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Add a Host or Service
2. Edit it
3. Click on 'New Certificate' for Host or Service
4. Follow instructions provided to get a cert
5. Click Issue
  
Actual results:
error thrown:
Certificate operation cannot be completed: unknown(3) (Request Rejected - Key Parameters 1024,2048,3072,4096 Not Matched)

Expected results:
new cert should be issued

Additional info:
Comment 2 Martin Kosek 2012-05-04 07:48:18 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2725
Comment 3 Rob Crittenden 2012-05-08 16:55:50 UTC 
This is just a text change that is easily verified. In addition we'd like to replace the openssl CSR generation instructions with NSS instructions.
Comment 5 Martin Kosek 2012-05-15 08:39:02 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/4640f957ade4615972a9b857a8f2e1b97e524d01

Steps used to generate a CSR are now based on NSS.
Comment 8 Namita Soman 2012-11-27 05:27:52 UTC 
Verified instructions using ipa-server-3.0.0-8.el6.x86_64
Instruction indicate stpes using certutil.


# certutil -R -d /home/ -a -g 512 -s 'CN=one.testrelm.com,O=TESTRELM.COM'

and used the cert generated from this command to add a new cert for a host. Got error:
Certificate operation cannot be completed: unknown(3) (Request Rejected - Key Parameters 1024,2048,3072,4096 Not Matched)

Was successful when cert was generated using command:
# certutil -R -d /home/ -a -g 1024 -s 'CN=one.testrelm.com,O=TESTRELM.COM'
cert was added succesfully for host
Comment 9 Namita Soman 2012-11-27 05:37:49 UTC 
marking verified - good instructions
Comment 11 errata-xmlrpc 2013-02-21 09:12:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html