RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1200731 - [RFE] Support lightweight sub-CAs
Summary: [RFE] Support lightweight sub-CAs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On: 1345755
Blocks: 1351258
TreeView+ depends on / blocked
 
Reported: 2015-03-11 09:59 UTC by Martin Kosek
Modified: 2016-11-04 05:44 UTC (History)
8 users (show)

Fixed In Version: ipa-4.4.0-1.el7
Doc Type: Release Note
Doc Text:
IdM now supports sub-CAs Previously, Identity Management (IdM) only supported one certificate authority (CA) that was used to sign all certificates issued within the IdM domain. Now, you can use lightweight sub-CAs for better control over the purpose for which a certificate can be used. For example, a Virtual Private Network (VPN) server can be configured to only accept certificates issued by a sub-CA created for that purpose, rejecting certificates issued by other sub-CAs, such as a smart card CA. To support this functionality, you can now specify an IdM lightweight sub-CA when requesting a certificate with certmonger. For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#lightweight-sub-cas
Clone Of:
: 1351258 (view as bug list)
Environment:
Last Closed: 2016-11-04 05:44:48 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
tkt_4559.log (8.03 KB, text/plain)
2016-08-19 11:24 UTC, Abhijeet Kasurde 		no flags Details
tkt_5999.log (2.11 KB, text/plain)
2016-08-19 11:54 UTC, Abhijeet Kasurde 		no flags Details
tkt_5963.log (6.73 KB, text/plain)
2016-08-19 12:17 UTC, Abhijeet Kasurde 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Martin Kosek 2015-03-11 09:59:11 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4559

In RHEL 7.1, all certificates issued by IPA are interchangeably reusable in different environments, i.e. a certificate issued for mobile device can be used for VPN and vice versa. 

To scope certificates to a specific use without requiring additional access control knobs on behalf of the application that uses the certs, the profiles can be associated with a subCA. 

It should be possible to associate different profiles with different CAs so it should be a many to may relationship.
Comment 1 Jan Cholasta 2015-06-11 10:51:22 UTC 
master:
https://fedorahosted.org/freeipa/changeset/bc0c60688505968daf6851e3e179aab20e23af7d
https://fedorahosted.org/freeipa/changeset/947af1a037609fa42cbfd794301d5a5c4061c81b
Comment 2 Martin Kosek 2015-07-07 10:08:36 UTC 
FreeIPA upstream project postponed the release to later release:

https://fedorahosted.org/freeipa/ticket/4559#comment:8
Comment 4 Jan Cholasta 2016-06-06 06:55:30 UTC 
master:
https://fedorahosted.org/freeipa/changeset/fa149cff86a67ebfe2739df6467a6e10e47742cd
Comment 5 Jan Cholasta 2016-06-08 08:13:45 UTC 
master:
https://fedorahosted.org/freeipa/changeset/f94ccca6761f7dbe3f99855d181fe2cec380d476
Comment 6 Jan Cholasta 2016-06-09 07:04:39 UTC 
master:
https://fedorahosted.org/freeipa/changeset/b584ffa4ac9c61bad9e4e05e5b39bd0503e39dcd
https://fedorahosted.org/freeipa/changeset/0d37d230c066f9eb703c81e0e21b1b6738703b41
https://fedorahosted.org/freeipa/changeset/b0d9a4728f0dc78e2bbde344beac17ae50b847a9
https://fedorahosted.org/freeipa/changeset/903a90fb4e7dc7eaddc1cc4f11083dad5c16db9b
https://fedorahosted.org/freeipa/changeset/4660bb7ff0197649c8777151a3a2a5378929e842
Comment 7 Jan Cholasta 2016-06-15 05:27:28 UTC 
master:
https://fedorahosted.org/freeipa/changeset/3d4db834caa0688bcefc0092b7978402b783eaf3
https://fedorahosted.org/freeipa/changeset/7d8699580d44fc65ca50982107d7037f2a64aa60
https://fedorahosted.org/freeipa/changeset/9c93015e7877c27a573a5090f7c1c36130bb017b
https://fedorahosted.org/freeipa/changeset/0b0c07858a11d0d5db859b321ba948ea6d0dfd65
https://fedorahosted.org/freeipa/changeset/ae6d5b79fbce83e5ded8d8d46108b193c164ac14
https://fedorahosted.org/freeipa/changeset/08e0aa23b0d2c7226472670b4d29d3cc5c5242d6
https://fedorahosted.org/freeipa/changeset/f0915e61986f545ad9b282fa90a4b1d0538829c5
Comment 8 Petr Vobornik 2016-06-22 16:28:57 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5963
Comment 9 Jan Cholasta 2016-06-23 07:11:23 UTC 
master:
https://fedorahosted.org/freeipa/changeset/b59e82298ca0322713bc1dd947ba7a0ae79e44ce
Comment 10 Martin Bašti 2016-06-27 11:14:50 UTC 
master:
https://fedorahosted.org/freeipa/changeset/47d33f36507d7af16daff5b9f7e4b4acfc6d963b
Comment 11 Jan Cholasta 2016-06-29 06:52:29 UTC 
master:
https://fedorahosted.org/freeipa/changeset/f0b1e37d2e048b5f375ec485e2b69e722a7bc7b7
https://fedorahosted.org/freeipa/changeset/67f13c82d877a9909ab89d3d30eeb7c966cc09e4
https://fedorahosted.org/freeipa/changeset/b720aa94e9317b857734c08a69fe2dcc0d95bf68
https://fedorahosted.org/freeipa/changeset/0078e7a9192a940104d8f6621b33d24d814c109b
Comment 12 Petr Vobornik 2016-06-29 11:05:37 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5999
Comment 13 Jan Cholasta 2016-07-01 03:52:36 UTC 
master:
https://fedorahosted.org/freeipa/changeset/ffb1f5b1f24f0de30529d50f8c8dfb9a896c149e
Comment 14 Martin Bašti 2016-07-01 06:57:23 UTC 
master:
https://fedorahosted.org/freeipa/changeset/0334693cfc56bc2788ea3b4f3cea9547c9c00340
https://fedorahosted.org/freeipa/changeset/3ac3882631564cd774114e61e607fffdbd667eee
Comment 15 Jan Cholasta 2016-07-01 08:02:49 UTC 
master:
https://fedorahosted.org/freeipa/changeset/4844eaec197690e21c6cf44743df7f456d0e185d
Comment 16 Petr Vobornik 2016-07-01 13:49:33 UTC 
The core of the feature is finished. Moving to modified.

There might be regression or minor parts missing. They should be tracked in separate bugzillas.
Comment 18 Petr Vobornik 2016-07-12 08:57:32 UTC 
Following commits added tests in upstream 4.4.1

master:
https://fedorahosted.org/freeipa/changeset/ea9b15f435c6327c6f642e3e8093796229d94598
https://fedorahosted.org/freeipa/changeset/5b37aaad7718bd0214053fd2e758ba7dc332e21d
https://fedorahosted.org/freeipa/changeset/d88a12f1f59640bb6593169aa4c7ea204af18cee
https://fedorahosted.org/freeipa/changeset/0277a89825cf0d8d1099f537d9eb4ab1020751d2
Comment 21 Abhijeet Kasurde 2016-08-19 11:02:40 UTC 
Observed BZ1368424
Comment 22 Abhijeet Kasurde 2016-08-19 11:24:25 UTC 
Created attachment 1192114 [details]
tkt_4559.log
Comment 23 Abhijeet Kasurde 2016-08-19 11:54:55 UTC 
Created attachment 1192118 [details]
tkt_5999.log
Comment 24 Abhijeet Kasurde 2016-08-19 12:17:54 UTC 
Created attachment 1192121 [details]
tkt_5963.log
Comment 25 Abhijeet Kasurde 2016-08-19 12:19:05 UTC 
Verified using IPA version ::
ipa-server-4.4.0-8.el7.x86_64

Marking RFE BZ as verified. Please see attached logs for console log.
Comment 27 errata-xmlrpc 2016-11-04 05:44:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html
Note You need to log in before you can comment on or make changes to this bug.