Bug 1200731 – [RFE] Support lightweight sub-CAs

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1200731 - [RFE] Support lightweight sub-CAs

Summary:	[RFE] Support lightweight sub-CAs

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	7.0
Hardware:	Unspecified Unspecified

Priority	medium Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:	Aneta Šteflová Petrová

URL:
Whiteboard:
Keywords:	FutureFeature

Depends On:	1345755
Blocks:	1351258
	Show dependency tree / graph

Reported:	2015-03-11 05:59 EDT by Martin Kosek
Modified:	2016-11-04 01:44 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	ipa-4.4.0-1.el7
Doc Type:	Release Note
Doc Text:	IdM now supports sub-CAs Previously, Identity Management (IdM) only supported one certificate authority (CA) that was used to sign all certificates issued within the IdM domain. Now, you can use lightweight sub-CAs for better control over the purpose for which a certificate can be used. For example, a Virtual Private Network (VPN) server can be configured to only accept certificates issued by a sub-CA created for that purpose, rejecting certificates issued by other sub-CAs, such as a smart card CA. To support this functionality, you can now specify an IdM lightweight sub-CA when requesting a certificate with certmonger. For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#lightweight-sub-cas
Story Points:	---
Clone Of:
Clones:	1351258 (view as bug list)
Environment:
Last Closed:	2016-11-04 01:44:48 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
tkt_4559.log (8.03 KB, text/plain) 2016-08-19 07:24 EDT, Abhijeet Kasurde	no flags	Details
tkt_5999.log (2.11 KB, text/plain) 2016-08-19 07:54 EDT, Abhijeet Kasurde	no flags	Details
tkt_5963.log (6.73 KB, text/plain) 2016-08-19 08:17 EDT, Abhijeet Kasurde	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2404	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2016-11-03 09:56:18 EDT

Groups: None (edit)

Description Martin Kosek 2015-03-11 05:59:11 EDT

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4559

In RHEL 7.1, all certificates issued by IPA are interchangeably reusable in different environments, i.e. a certificate issued for mobile device can be used for VPN and vice versa. 

To scope certificates to a specific use without requiring additional access control knobs on behalf of the application that uses the certs, the profiles can be associated with a subCA. 

It should be possible to associate different profiles with different CAs so it should be a many to may relationship.

Comment 1 Jan Cholasta 2015-06-11 06:51:22 EDT

master:
https://fedorahosted.org/freeipa/changeset/bc0c60688505968daf6851e3e179aab20e23af7d
https://fedorahosted.org/freeipa/changeset/947af1a037609fa42cbfd794301d5a5c4061c81b

Comment 2 Martin Kosek 2015-07-07 06:08:36 EDT

FreeIPA upstream project postponed the release to later release:

https://fedorahosted.org/freeipa/ticket/4559#comment:8

Comment 4 Jan Cholasta 2016-06-06 02:55:30 EDT

master:
https://fedorahosted.org/freeipa/changeset/fa149cff86a67ebfe2739df6467a6e10e47742cd

Comment 5 Jan Cholasta 2016-06-08 04:13:45 EDT

master:
https://fedorahosted.org/freeipa/changeset/f94ccca6761f7dbe3f99855d181fe2cec380d476

Comment 6 Jan Cholasta 2016-06-09 03:04:39 EDT

master:
https://fedorahosted.org/freeipa/changeset/b584ffa4ac9c61bad9e4e05e5b39bd0503e39dcd
https://fedorahosted.org/freeipa/changeset/0d37d230c066f9eb703c81e0e21b1b6738703b41
https://fedorahosted.org/freeipa/changeset/b0d9a4728f0dc78e2bbde344beac17ae50b847a9
https://fedorahosted.org/freeipa/changeset/903a90fb4e7dc7eaddc1cc4f11083dad5c16db9b
https://fedorahosted.org/freeipa/changeset/4660bb7ff0197649c8777151a3a2a5378929e842

Comment 7 Jan Cholasta 2016-06-15 01:27:28 EDT

master:
https://fedorahosted.org/freeipa/changeset/3d4db834caa0688bcefc0092b7978402b783eaf3
https://fedorahosted.org/freeipa/changeset/7d8699580d44fc65ca50982107d7037f2a64aa60
https://fedorahosted.org/freeipa/changeset/9c93015e7877c27a573a5090f7c1c36130bb017b
https://fedorahosted.org/freeipa/changeset/0b0c07858a11d0d5db859b321ba948ea6d0dfd65
https://fedorahosted.org/freeipa/changeset/ae6d5b79fbce83e5ded8d8d46108b193c164ac14
https://fedorahosted.org/freeipa/changeset/08e0aa23b0d2c7226472670b4d29d3cc5c5242d6
https://fedorahosted.org/freeipa/changeset/f0915e61986f545ad9b282fa90a4b1d0538829c5

Comment 8 Petr Vobornik 2016-06-22 12:28:57 EDT

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5963

Comment 9 Jan Cholasta 2016-06-23 03:11:23 EDT

master:
https://fedorahosted.org/freeipa/changeset/b59e82298ca0322713bc1dd947ba7a0ae79e44ce

Comment 10 Martin Bašti 2016-06-27 07:14:50 EDT

master:
https://fedorahosted.org/freeipa/changeset/47d33f36507d7af16daff5b9f7e4b4acfc6d963b

Comment 11 Jan Cholasta 2016-06-29 02:52:29 EDT

master:
https://fedorahosted.org/freeipa/changeset/f0b1e37d2e048b5f375ec485e2b69e722a7bc7b7
https://fedorahosted.org/freeipa/changeset/67f13c82d877a9909ab89d3d30eeb7c966cc09e4
https://fedorahosted.org/freeipa/changeset/b720aa94e9317b857734c08a69fe2dcc0d95bf68
https://fedorahosted.org/freeipa/changeset/0078e7a9192a940104d8f6621b33d24d814c109b

Comment 12 Petr Vobornik 2016-06-29 07:05:37 EDT

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5999

Comment 13 Jan Cholasta 2016-06-30 23:52:36 EDT

master:
https://fedorahosted.org/freeipa/changeset/ffb1f5b1f24f0de30529d50f8c8dfb9a896c149e

Comment 14 Martin Bašti 2016-07-01 02:57:23 EDT

master:
https://fedorahosted.org/freeipa/changeset/0334693cfc56bc2788ea3b4f3cea9547c9c00340
https://fedorahosted.org/freeipa/changeset/3ac3882631564cd774114e61e607fffdbd667eee

Comment 15 Jan Cholasta 2016-07-01 04:02:49 EDT

master:
https://fedorahosted.org/freeipa/changeset/4844eaec197690e21c6cf44743df7f456d0e185d

Comment 16 Petr Vobornik 2016-07-01 09:49:33 EDT

The core of the feature is finished. Moving to modified.

There might be regression or minor parts missing. They should be tracked in separate bugzillas.

Comment 18 Petr Vobornik 2016-07-12 04:57:32 EDT

Following commits added tests in upstream 4.4.1

master:
https://fedorahosted.org/freeipa/changeset/ea9b15f435c6327c6f642e3e8093796229d94598
https://fedorahosted.org/freeipa/changeset/5b37aaad7718bd0214053fd2e758ba7dc332e21d
https://fedorahosted.org/freeipa/changeset/d88a12f1f59640bb6593169aa4c7ea204af18cee
https://fedorahosted.org/freeipa/changeset/0277a89825cf0d8d1099f537d9eb4ab1020751d2

Comment 21 Abhijeet Kasurde 2016-08-19 07:02:40 EDT

Observed BZ1368424

Comment 22 Abhijeet Kasurde 2016-08-19 07:24 EDT

Created attachment 1192114 [details]
tkt_4559.log

Comment 23 Abhijeet Kasurde 2016-08-19 07:54 EDT

Created attachment 1192118 [details]
tkt_5999.log

Comment 24 Abhijeet Kasurde 2016-08-19 08:17 EDT

Created attachment 1192121 [details]
tkt_5963.log

Comment 25 Abhijeet Kasurde 2016-08-19 08:19:05 EDT

Verified using IPA version ::
ipa-server-4.4.0-8.el7.x86_64

Marking RFE BZ as verified. Please see attached logs for console log.

Comment 27 errata-xmlrpc 2016-11-04 01:44:48 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.