Red Hat Bugzilla – Bug 1024462
IPA admin cert is created with SHA1 signing algorithm, should be SHA256
Last modified: 2015-05-12 07:09:11 EDT
Created attachment 818000 [details] patch to fix This is the patch to fix this issue. We will wait till the bug has been acked to apply it.
Created attachment 910967 [details] Patch to create admin cert with SHA256 (used in build) This patch contains just the code changes present in the previous patch with the following exception: In 'base/ca/shared/conf/CS.cfg.in', the following was changed from: ca.profiles.defaultSigningAlgsAllowed==SHA256withRSA,SHA1withRSA,SHA512withRSA,M D5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512with EC to: ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,M D5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512with EC Basically, the double '==' was replaced by a single '=', as I was concerned that this may be viewed as a part of the value string ('=SHA256withRSA' rather than 'SHA256withRSA').
Created attachment 910968 [details] Patch to create admin cert with SHA256 (spec file used in build)
Verified pki and ipa version =================== [root@rhel66-master ~]# rpm -q pki-ca ipa-server pki-ca-9.0.3-36.el6.noarch ipa-server-3.0.0-42.el6.x86_64 [root@rhel66-master ~]# Snip from beaker automation =========================== :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipaserverinstall_bz1024462 - IPA admin cert is created with SHA1 signing algorithm, should be SHA256 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Uninstall for next test :: [ PASS ] :: Uninstalling ipa server for next test (Expected 0, got 0) :: [ PASS ] :: Making sure that /etc/sssd/sssd.conf does not exist. BZ 819982 (Expected 2, got 2) :: [ PASS ] :: Installing IPA Server (Expected 0, got 0) :: [ PASS ] :: File '/etc/pki-ca/CS.cfg' should contain 'ca.signing.defaultSigningAlgorithm=SHA256withRSA' :: [ PASS ] :: Running 'certutil -L -d /etc/pki/nssdb/ -n "ipa-ca-agent" > /tmp/bz1024462_output.xt' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/bz1024462_output.xt' should contain 'Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption' :: [ PASS ] :: IPA admin cert is created with SHA256withRSA signing algo :: [ PASS ] :: Running 'certutil -D -d /etc/pki/nssdb/ -n "ipa-ca-agent"' (Expected 0, got 0) :: [ LOG ] :: Duration: 10m 33s :: [ LOG ] :: Assertions: 8 good, 0 bad :: [ PASS ] :: RESULT: ipaserverinstall_bz1024462 - IPA admin cert is created with SHA1 signing algorithm, should be SHA256
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1549.html