RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1313679 - Section 14.2.3., specify that CSRs are generated on nodes, not on IdM server
Summary: Section 14.2.3., specify that CSRs are generated on nodes, not on IdM server
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: doc-Linux_Domain_Identity_Management_Guide
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Aneta Šteflová Petrová
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-02 08:18 UTC by Roland Wolters
Modified: 2019-03-06 00:39 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-29 07:23:06 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Roland Wolters 2016-03-02 08:18:58 UTC 
Description of problem:
The current documentation explains how to generate CSRs for services, but does not mention where these are usually generated - thus where the private keys are actually stored.
The examples in fact sag "server", which might lead to the impression that the private keys are stored on the IdM an that the CSRs have to be generated on the IdM.

However, in real life the private key for a service should stay on the node where the service is actually run - and not on the IdM. Thus the CSR should also be generated on the "service node".

Version-Release number of selected component (if applicable):
Revision 7.0-14

Additional info:
I suggest to add something like the following clarification to the introduction of 14.2.3. So that the paragraph:
"The certificate request must be generated with a third-party tool such as certutil. The resulting certificate request can be submitted through the IdM web UI or command-line tools.
The service must already exist for a certificate to be requested. If the service does not yet exist, then with the command line, there is an option to create the service as part of requesting the certificate."

is extended by a paragraph along the lines of:
"The service usually runs on a dedicated service node on which the private key is stored. The private key should not be copied to the IdM, so the CSR needs to be created on the service node itself, the following certutil commands need to be executed on the service-node."

Additionally, for better clarification it might make sense to change the following code examples in 14.2.3. from "server" to "service-node" in step 1. of 14.2.3.1. and 14.2.3.2.
Comment 5 Roland Wolters 2016-06-24 06:58:26 UTC 
It is at least better than the original version. I would still have added a line saying that the certificate stays on a server different than the IdM, but this version is at least not as confusing as the original one. You can close if you want.
Comment 6 Aneta Šteflová Petrová 2016-06-24 07:04:21 UTC 
Thanks for the update Roland. We will have a look at this BZ and make the change.
Comment 7 Aneta Šteflová Petrová 2016-06-30 08:22:25 UTC 
I added an Important admonition to 17.1.1.:

----------
Services typically run on dedicated service nodes on which the private keys are stored. Copying a service's private key to the IdM server is considered insecure. Therefore, when requesting a certificate for a service, create the CSR on the service node, not on the IdM server.
----------

Roland, is this okay?
Comment 13 Aneta Šteflová Petrová 2016-07-29 07:23:06 UTC 
Published with the latest update: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html
Note You need to log in before you can comment on or make changes to this bug.