RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1308852 - [RFE] Provide the user the ability to import their own CA certificate with private key
Summary: [RFE] Provide the user the ability to import their own CA certificate with pr...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.3
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Endi Sukma Dewata
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On: 1289323 1310195
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-16 09:41 UTC by Marcel Kolaja
Modified: 2020-10-04 21:02 UTC (History)
14 users (show)

Fixed In Version: pki-core-10.2.5-8.el7_2
Doc Type: Enhancement
Doc Text:
The deployment procedure for external CA has been modified to generate the CA Certificate Signing Request (CSR) before starting the server. This allows the same procedure to be used for importing a CA certificate from an existing server. In addition, it is no longer required to keep the server running while waiting to get the CSR signed by an external CA. The "pki ca-cert-request-submit" command now provides options to specify the profile name and the CSR, which is then used to create and populate the request object. As a result, it is no longer necessary to download the request template and insert the CSR manually. A new "pki-server subsystem-cert-export" command exports a system certificate, the CSR, and the key. This command can be used to migrate a system certificate into another instance. The manual pages have been updated to reflect these changes. The installation code for installing an Identity Management (IdM) server with an external CA has been fixed so that IdM can detect whether step 1 of the installation process was completed properly. The code that handles certificate data conversion has been fixed to reformat base-64 data for Privacy Enhanced Mail (PEM) output correctly.
Clone Of: 1289323
Environment:
Last Closed: 2016-05-12 09:57:07 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
pki-core-Use-correct-textual-encoding-for-PKCS-7-objects.patch (7.33 KB, patch)
2016-03-17 19:17 UTC, Endi Sukma Dewata 		mharmsen: review+
Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2258 0 None None None 2020-10-04 21:02:42 UTC
Red Hat Product Errata RHBA-2016:1042 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2016-05-12 13:53:27 UTC

Description Marcel Kolaja 2016-02-16 09:41:41 UTC 
This bug has been copied from bug #1289323 and has been proposed
to be backported to 7.2 z-stream (EUS).
Comment 3 Matthew Harmsen 2016-02-17 18:34:15 UTC 
Pushed to DOGTAG_10_2_5_RHEL_BRANCH:

commit afc2ffb30fb5446ff0e78bfc7a0ef05c8e7bcb67
Author: Endi S. Dewata <edewata>
Date:   Thu Nov 12 00:23:26 2015 +0100

    Added support for existing CA case.
    
    The deployment procedure for external CA has been modified
    such that it generates the CA CSR before starting the server.
    This allows the same procedure to be used to import CA
    certificate from an existing server. It also removes the
    requirement to keep the server running while waiting to get
    the CSR signed by an external CA.
    
    The pki ca-cert-request-submit command has been modified to
    provide options to specify the profile name and the CSR which
    will be used to create and populate the request object. This
    way it's no longer necessary to download the request template
    and insert the CSR manually.
    
    A new pki-server subsystem-cert-export command has been added
    to export a system certificate, the CSR, and the key. This
    command can be used to migrate a system certificate into another
    instance.
    
    The man page have been updated to reflect these changes.
    
    The installation code for external CA case has been fixed such
    that IPA can detect step 1 completion properly.
    
    The code that handles certificate data conversion has been fixed
    to reformat base-64 data for PEM output properly.
    
    The installation summary for step 1 has been updated to provide
    more accurate information.
    
    https://fedorahosted.org/pki/ticket/456
Comment 4 Matthew Harmsen 2016-02-19 17:18:03 UTC 
--- Endi Sukma Dewata 2016-02-17 22:45:15 EST ---

Verification steps:

---------
On host 1
---------

1. Create DS instance
2. Create CA deployment config (ca.cfg):

[CA]
pki_admin_email=caadmin
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret123
pki_admin_uid=caadmin
pki_backup_keys=True
pki_backup_password=Secret123
pki_client_database_password=Secret123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret123
pki_ds_base_dn=dc=ca,dc=example,dc=com
pki_ds_database=ca
pki_ds_password=Secret123
pki_security_domain_name=EXAMPLE
pki_token_password=Secret123

3. Install CA: pkispawn -f ca.cfg -s CA

4. Export CA signing cert, key, and CSR: pki-server subsystem-cert-export ca signing --csr-file ca_signing.csr --pkcs12-file ca.p12

5. Copy ca_signing.crt and ca_signing.csr to /tmp on host 2

6. Export NSS db password: grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2;}' > internal.txt

7. Note the key ID of the CA signing cert: certutil -K -d /var/lib/pki/pki-tomcat/alias/ -f internal.txt

< 0> rsa      06b218333b1d518847bc6e16f584e3b91b1186b6   caSigningCert cert-pki-tomcat CA

---------
On host 2
---------

7.5. Create DS instance on host 2

8. Create CA deployment config for step 1 (ca-step1.cfg):

[CA]
pki_admin_email=caadmin
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret123
pki_admin_uid=caadmin
pki_backup_keys=True
pki_backup_password=Secret123
pki_client_database_password=Secret123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret123
pki_ds_base_dn=dc=ca,dc=example,dc=com
pki_ds_database=ca
pki_ds_password=Secret123
pki_security_domain_name=EXAMPLE
pki_token_password=Secret123

pki_external=True
pki_external_step_two=False

9. Install CA step 1: pkispawn -f ca-step1.cfg -s CA

10. Create CA deployment config for step 2 (ca-step2.cfg):

[CA]
pki_admin_email=caadmin
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret123
pki_admin_uid=caadmin
pki_backup_keys=True
pki_backup_password=Secret123
pki_client_database_password=Secret123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret123
pki_ds_base_dn=dc=ca,dc=example,dc=com
pki_ds_database=ca
pki_ds_password=Secret123
pki_security_domain_name=EXAMPLE
pki_token_password=Secret123

pki_external=True
pki_external_step_two=True
pki_external_csr_path=/tmp/ca_signing.csr
pki_external_pkcs12_path=/tmp/ca.p12
pki_external_pkcs12_password=Secret123

11. Install CA step 2: pkispawn -f ca-step2.cfg -s CA

12. Export NSS db password: grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2;}' > internal.txt

13. Verify that the key ID of the CA signing cert matches the one in step #7: certutil -K -d /var/lib/pki/pki-tomcat/alias/ -f internal.txt

< 0> rsa      06b218333b1d518847bc6e16f584e3b91b1186b6   caSigningCert cert-pki-tomcat CA

Note that the key ID of the other certificates will not match.
Comment 17 Endi Sukma Dewata 2016-03-17 19:17:56 UTC 
Created attachment 1137484 [details]
pki-core-Use-correct-textual-encoding-for-PKCS-7-objects.patch
Comment 18 Matthew Harmsen 2016-03-17 23:20:31 UTC 
Comment on attachment 1137484 [details]
pki-core-Use-correct-textual-encoding-for-PKCS-7-objects.patch

Code looks good.

Applied patch and successfully installed CA which showed the appropriate changes.
Comment 20 Matthew Harmsen 2016-03-19 00:41:33 UTC 
Checked into 'DOGTAG_10_2_5_RHEL_BRANCH':

* cc65e92d87761bf28423718300e8ea53b30b63ba
Comment 21 Geetika Kapoor 2016-03-22 05:52:39 UTC 
Verified below mentioned scenario's::
-------------------------------------

Test case 1: ==> Works as mentioned in #comment4 
Try same scenario that is mentioned in test case 1 "dev" notes.

a. Create a RootCA.
b. RSA key id matches and works as expected.Also,Public cert pem format also matches for both keys.
localKeyID: 50 7E FA BE 61 C9 02 FB 02 28 48 76 E9 4C 2F A8 28 E0 E1 F7
localKeyID: 50 7E FA BE 61 C9 02 FB 02 28 48 76 E9 4C 2F A8 28 E0 E1 F7

localkeyID is equivalent to keyid in x509 format.

Test case 2: ==> Works as expected
Verified that after step1 CA server never starts.It always starts after step2 

Test Case 3: ==> Works as expected 
IPA server installation with external CA .(single certificate chain)

Test Case 4: ==> raised bug https://bugzilla.redhat.com/show_bug.cgi?id=1318903
IPA server installation with external CA (chain of CA certificate) 

Test case 5: ==> works as expected
External CA configuration in rhel7.2 and rhcs.
Comment 22 Asha Akkiangady 2016-03-22 12:31:30 UTC 
Marking it Verified as per comment #21.
Comment 24 errata-xmlrpc 2016-05-12 09:57:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-1042.html
Note You need to log in before you can comment on or make changes to this bug.