1259449 – Include the CA certificate for *.access.redhat.com in ca-certificates

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1259449 - Include the CA certificate for *.access.redhat.com in ca-certificates

Summary: Include the CA certificate for *.access.redhat.com in ca-certificates

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ca-certificates
Sub Component:
Version:	7.2
Hardware:	All
OS:	All
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Kai Engert (:kaie) (inactive account)
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	1259456
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-02 15:45 UTC by Keith Robertson
Modified:	2016-07-04 01:35 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-09-02 16:46:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
api.access.redhat.com cert (68.74 KB, text/html) 2015-09-02 15:46 UTC, Keith Robertson	no flags	Details
cert-api.access.redhat.com cert (64.63 KB, text/html) 2015-09-02 15:46 UTC, Keith Robertson	no flags	Details
View All

Description Keith Robertson 2015-09-02 15:45:46 UTC

The certificates attached to this BZ should be added to the ca-certificates RPM to facilitate communication back to the Red Hat Customer Portal.

Comment 1 Keith Robertson 2015-09-02 15:46:24 UTC

Created attachment 1069493 [details]
api.access.redhat.com cert

Comment 2 Keith Robertson 2015-09-02 15:46:59 UTC

Created attachment 1069494 [details]
cert-api.access.redhat.com cert

Comment 4 Keith Robertson 2015-09-02 16:09:13 UTC

This BZ should be implemented in conjunction with BZ1259456

Comment 5 Keith Robertson 2015-09-02 16:46:01 UTC

After talking to Kai, putting the *.redhat.com CAs in ca-certificates isn't a good idea as it is intended to be a global repository. I'm going to close this BZ.

===
Hi Keith,

I saw you have filed
https://bugzilla.redhat.com/show_bug.cgi?id=1259449

which requests to add our own CA to the systemwide list of trusted CA
certificates.

This is the first time I see such a request. I believe that in the past
certificfates from global CAs have been used for certificates for our corporate
websites. Can you please tell me, who has discussed and decided that this
strategy should be used?

In my opinion, we should avoid including a CA that could be used to issue
certificates for any website.

If you really need to include a CA, because you must issue your own certificates
to access corporate websites, you should be aware of the following: Only users
of our operating system will be able to connect to our site directly. Everyone
else will see security warnings in their browser, that our site isn't trusted.

If you are aware of that, and would like to use this approach (own CA) anyway,
then I would like to request that we add constrain that CA.

It is possible to add a domain name constraints extension to a root CA
certificate, which limits for which domains certificates can be issued.

Given the potential of abuse of a CA certificate, it would give our customers
the guarantee that we intend to use the CA we're adding only for our own sites,
not for anything else.

Please let me know what you think, I'm interested to hear about your
motiviations for that request, and if you're OK with the constraint that I'm
suggesting.

(On a side note, I couldn't download your attachments from the bug, it seems you
have attached HTML documents, not certificates?)

Thanks and Regards

Note You need to log in before you can comment on or make changes to this bug.