1350983 – Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1350983 - Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA

Summary: Installation: subsystem certs could have notAfter beyond CA signing cert in c...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	7.3
Assignee:	Christina Fu
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1356311 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-28 23:20 UTC by Matthew Harmsen
Modified:	2020-10-04 21:11 UTC (History)
CC List:	3 users (show)
Fixed In Version:	pki-core-10.3.3-3.el7
Doc Type:	Bug Fix
Doc Text:	Cause: the CAValidity constraint is not applied during installation. As a consequence, the subsystem certs created per .profile's could have notAfter beyond that of the CA signing cert imported during "external" or "existing" CA. Consequence: Fix: This fix implements validity check on the notAfter value of the certInfo and adjusts it to that of the CA's notAfter if exceeding Result: subsystem certs can no longer exceed that of the CA signing cert's notAfter value, regardless of what the profiles dictates.
Clone Of:
Environment:
Last Closed:	2016-11-04 05:25:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Config_files (120.00 KB, application/x-tar) 2016-08-23 07:10 UTC, Geetika Kapoor	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2509	0	None	None	None	2020-10-04 21:11:31 UTC
Red Hat Product Errata	RHBA-2016:2396	0	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2016-11-03 13:55:03 UTC

Description Matthew Harmsen 2016-06-28 23:20:39 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/pki/ticket/2389

It appears that the CAValidity constraint is not applied during installation.
As a consequence, the subsystem certs created per .profile's could have notAfter beyond that of the CA signing cert imported during "external" or "existing" CA.

There has been a customer request to fix this issue, as although there is a manual workaround, it would be far too time-consuming and painful to require the customer to implement this manually.

Comment 1 Christina Fu 2016-06-29 16:23:49 UTC

pushed to master:

commit 659c90869a27871eda27fd730d00b0499873dae2
Author: Christina Fu <cfu>
Date:   Tue Jun 28 18:00:03 2016 -0700

    Ticket 2389 Installation: subsystem certs could have notAfter beyond CA signing cert in case of external or existing CA
    
    This patch implements validity check on the notAfter value of the certInfo
    and adjusts it to that of the CA's notAfter if exceeding


--------
When testing, make the subsystem certs' expiration exceed that of the external or existing CA's signing cert notAfter value.
Basically this is to test the existing/external CA scenario, with modification to the "range" values of the subsystem certs' .profile's so that the notAfter would exceed that of the CA's value.
For example,
I changed my the following param in my serverCert.profile:
   2.default.params.range=7400
under Validity Default
That effectively causes the notAfter of my server cert to exceed CA signing cert's notAfter
You need to make the changes between installation and configuration

Comment 3 Matthew Harmsen 2016-07-14 00:17:01 UTC

*** Bug 1356311 has been marked as a duplicate of this bug. ***

Comment 4 Geetika Kapoor 2016-07-25 08:24:42 UTC

Hello,

I tried to perform testing for above mentioned use case.So based on my understanding below mentioned is the use case.

Expected Result:
----------------

In CA's profile, We have a profile named caSubsystemCert. We should be able to generate certs with it using user defined validity period.


Setup:
------

1. Disable profile caSubsystemCert.cfg under /var/lib/pki/topology-02-CA/ca/profiles/ca using :

pki -v  -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-disable caSubsystemCert

2. Edit profile in the runtime based on changes that are needed.

pki   -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-edit caSubsystemCert

Here i edit below mentioned attribute:

policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=7200000

3. Enable the "caSubsystemCert" profile.

pki -v  -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 -n "PKI CA Administrator for Example.Org" ca-profile-enable caSubsystemCert

4. Submit the certificate request.

pki -v  -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-submit --profile caSubsystemCert --csr-file /etc/pki/topology-02-KRA-alone/kra_subsystem.csr

5. This everytime gives me below mentioned exception.

[root@pki1 test_dir]# pki -v  -d /opt/rhqa_pki/certdb -c Secret123 -h pki1.example.com -p 20080 cert-request-submit --profile caSubsystemCert --csr-file /etc/pki/topology-02-KRA-alone/kra_subsystem.csr
PKI options: -v -d /opt/rhqa_pki/certdb -c Secret123
PKI command: pki1.example.com -h pki1.example.com -p 20080 cert-request-submit --profile caSubsystemCert --csr-file /etc/pki/topology-02-KRA-alone/kra_subsystem.csr
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -cp /usr/share/java/commons-cli.jar:/usr/share/java/commons-codec.jar:/usr/share/java/commons-httpclient.jar:/usr/share/java/commons-io.jar:/usr/share/java/commons-lang.jar:/usr/share/java/commons-logging.jar:/usr/share/java/httpcomponents/httpclient.jar:/usr/share/java/httpcomponents/httpcore.jar:/usr/share/java/jackson/jackson-core-asl.jar:/usr/share/java/jackson/jackson-jaxrs.jar:/usr/share/java/jackson/jackson-mapper-asl.jar:/usr/share/java/jackson/jackson-mrbean.jar:/usr/share/java/jackson/jackson-smile.jar:/usr/share/java/jackson/jackson-xc.jar:/usr/share/java/jaxb-api.jar:/usr/share/java/ldapjdk.jar:/usr/share/java/servlet.jar:/usr/share/java/resteasy-base/jaxrs-api.jar:/usr/share/java/resteasy-base/resteasy-atom-provider.jar:/usr/share/java/resteasy-base/resteasy-client.jar:/usr/share/java/resteasy-base/resteasy-jaxb-provider.jar:/usr/share/java/resteasy-base/resteasy-jaxrs.jar:/usr/share/java/resteasy-base/resteasy-jaxrs-jandex.jar:/usr/share/java/resteasy-base/resteasy-jackson-provider.jar:/usr/share/java/pki/pki-nsutil.jar:/usr/share/java/pki/pki-cmsutil.jar:/usr/share/java/pki/pki-certsrv.jar:/usr/share/java/pki/pki-tools.jar:/usr/lib64/java/jss4.jar:/usr/lib/java/jss4.jar -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d /opt/rhqa_pki/certdb -c Secret123 --verbose -h pki1.example.com -p 20080 cert-request-submit --profile caSubsystemCert --csr-file /etc/pki/topology-02-KRA-alone/kra_subsystem.csr
Server URI: http://pki1.example.com:20080
Client security database: /opt/rhqa_pki/certdb
Message format: null
Command: cert-request-submit --profile caSubsystemCert --csr-file /etc/pki/topology-02-KRA-alone/kra_subsystem.csr
Initializing client security database
Logging into security token
Module: cert
Module: request-submit
Retrieving caSubsystemCert profile.
HTTP request: GET /ca/rest/certrequests/profiles/caSubsystemCert HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:20080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Content-Type: application/xml
  Content-Length: 1209
  Date: Mon, 25 Jul 2016 07:24:34 GMT
Request type: pkcs10
CSR:
-----BEGIN CERTIFICATE REQUEST-----
MIICjDCCAXQCAQAwRzElMCMGA1UECgwcdG9wb2xvZ3ktMDJfRm9vYmFybWFzdGVyLm9yZzEeMBwG
A1UEAwwVU3Vic3lzdGVtIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA32hziGkGD+lgQqqkiHZjfGWtMwsNpRA8zbYbQE+v9m4IGIigFHP4yJwM1P6ozsBPMhRIjod5
BNm2g1uEEOfFUppUidXX6eNrZlT7+Wb6ftdECLfRlVvZbfakPU6raLNeD0oANxHxXpZfM+c7/Mfh
s6RorETx9KKm4D4GtY6v718M6vN1E6UsTfx5++R6QK/zcbTHScg5uvQJ8Dv9E481mfwB0O1m81Ft
RZT5enKDEn4Y3aHXwKCIWfJdOuet97aWkBOWcB0W1E2VDzGMstijtLgl128glyCgg7G9SRe/TEQQ
tDi0OdHTfZHd8LEn9NLyha6gETB/BwqJpjrM0lBcWwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEB
AM7+s10H68xWv6GnKbr2czF/KEUUNh/S58/axnUdZ/hgawghO2O7BCkZAPNG42isT2eqinq6sUoa
NeebGMPEcvnPlJk8l1k/7vtY9f6hOb6w6bUASbC5hxaA3MS0ffey0y1kw70u+iFTBarU7AEyRQCz
ZPAEOeoAC+1Vqc3yxNK4LooSr5NW5r9oFTO+Vuz/B/Bn+r70hcRMbM4ZYiqAgLEqv+TPorYA5nP8
K0zXsnVMWq0+Fdxj6mHaE1rPqVVvDpjEMYHkesm/DrXV6T5xQjSCsV7sUJD4gJkx54Bp4fvtfJuC
3LDc3+5CSv9l1Aj8K7eLzTgsdNhBlB3zuWtd9NU=
-----END CERTIFICATE REQUEST-----
HTTP request: POST /ca/rest/certrequests HTTP/1.1
  Content-Type: application/xml
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Content-Length: 2172
  Host: pki1.example.com:20080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 500 Internal Server Error
  Server: Apache-Coyote/1.1
  Content-Type: application/xml
  Content-Length: 213
  Date: Mon, 25 Jul 2016 07:24:34 GMT
  Connection: close
com.netscape.certsrv.base.PKIException: extensions not found
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:450)
	at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:418)
	at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:113)
	at com.netscape.certsrv.cert.CertClient.enrollRequest(CertClient.java:102)
	at com.netscape.cmstools.cert.CertRequestSubmitCLI.execute(CertRequestSubmitCLI.java:249)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)
	at com.netscape.cmstools.cert.CertCLI.execute(CertCLI.java:91)
	at com.netscape.cmstools.cli.ProxyCLI.execute(ProxyCLI.java:119)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:337)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:562)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:574)

6. Then i take a look at the certificate.It is without extensions.So i actually disable extensions in caSubsystemCert profile.I set all critial parameters ( for extensions like keyusage) to false.Also i did changes in policyset.serverCertSet.list=1,2,3,4



But still i am seeing extensions error.

Comment 5 Christina Fu 2016-07-25 16:09:37 UTC

As stated in comment #1, this is a test for "Existing or External CA" during "Installation."
Please find and follow the right instruction to test such installation case, maybe this? http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate_using_NSS_Database

and make sure (before running pkispawn the 2nd time to configure) you follow what stated in Comment #1 to modify the 
<instance>/ca/conf/subsystemCert.profile
so that the params.range of the Validity Default
exceeds that of the CA's.
And watch (and expect) the installation to fail on it.

Since your test procedure is invalid, I'm changing this bug to "POST" again.
Let me know if there is any more issue.

Comment 6 Christina Fu 2016-07-25 16:12:21 UTC

(In reply to Christina Fu from comment #5)
> As stated in comment #1, this is a test for "Existing or External CA" during
> "Installation."
> Please find and follow the right instruction to test such installation case,
> maybe this?
> http://pki.fedoraproject.org/wiki/
> Installing_CA_with_Existing_CA_Certificate_using_NSS_Database
> 
> and make sure (before running pkispawn the 2nd time to configure) you follow
> what stated in Comment #1 to modify the 
> <instance>/ca/conf/subsystemCert.profile
> so that the params.range of the Validity Default
> exceeds that of the CA's.
> And watch (and expect) the installation to fail on it.

correction:
What's expected is that it will NOT follow the range specification of the exceeding subsystem cert profile, but rather limit it to that of the CA's.
So, expect the subsystem cert having the same expiration date as that of the CA.

> 
> Since your test procedure is invalid, I'm changing this bug to "POST" again.
> Let me know if there is any more issue.

Comment 7 Geetika Kapoor 2016-07-26 05:26:39 UTC

Hello,

Sure I'll follow the procedure that you have mentioned above.Thanks for reply.
I have one question here. If i have an existing setup and i tried to edit profile caSubsystemCert and i disable all the extensions so now while doing a certificate request submit should it be asking to provide extensions? I have set all extensions like keyusage to false still it checks for extensions.So I am not sure about how it should behave.

Thanks
Geetika

Comment 8 Christina Fu 2016-08-01 17:34:34 UTC

(In reply to Geetika Kapoor from comment #7)
> Hello,
> 
> Sure I'll follow the procedure that you have mentioned above.Thanks for
> reply.
> I have one question here. If i have an existing setup and i tried to edit
> profile caSubsystemCert and i disable all the extensions so now while doing
> a certificate request submit should it be asking to provide extensions? I
> have set all extensions like keyusage to false still it checks for
> extensions.So I am not sure about how it should behave.
> 
> Thanks
> Geetika

That is not a useful test case, and has nothing to do with this bug.  Admins should have no reason to do that.

Comment 9 Geetika Kapoor 2016-08-19 09:00:00 UTC

Hello Christina,

Below are the 3 test cases i performed.I am not sure if this is expected behavior so just to get a better idea here I am putting it to you.Thanks in advance for help.Below are the test scenario's::


Test Case 1: Create a new CA instance where we are doing changes in default 
============ profile file /usr/share/pki/ca/conf/subsystemCert.profile

Setup :
------

1. Change "2.default.params.range=720" to "2.default.params.range=7200000" in /usr/share/pki/ca/conf/subsystemCert.profile


Result:
------

1. Installation was successful.Port is in-use.
2. Debug logs shows::

<debug logs>
[19/Aug/2016:02:57:46][localhost-startStop-1]: CertUtils: verifySystemCertByTag(sslserver)
[19/Aug/2016:02:57:46][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(Server-Cert cert-pki-tomcat, SSLServer)
[19/Aug/2016:02:57:46][localhost-startStop-1]: CertUtils: verifySystemCertByNickname(): calling verifyCertificate(Server-Cert cert-pki-tomcat, true, SSLServer)
[19/Aug/2016:02:57:46][localhost-startStop-1]: CertUtils: verifySystemCertByNickname() failed: java.lang.Exception: Certificate Server-Cert cert-pki-tomcat is invalid: Invalid certificate: (-8179) Peer's Certificate issuer is not recognized.
[19/Aug/2016:02:57:46][localhost-startStop-1]: CertUtils: verifySystemCertsByTag() failed: java.lang.Exception: Certificate Server-Cert cert-pki-tomcat is invalid: Invalid certificate: (-8179) Peer's Certificate issuer is not recognized.
[19/Aug/2016:02:57:46][localhost-startStop-1]: SignedAuditEventFactory: create() message created for eventType=CIMC_CERT_VERIFICATION

[19/Aug/2016:02:57:46][localhost-startStop-1]: SignedAuditEventFactory: create() message created for eventType=CIMC_CERT_VERIFICATION

java.lang.Exception: Certificate Server-Cert cert-pki-tomcat is invalid: Invalid certificate: (-8179) Peer's Certificate issuer is not recognized.
        at com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:844)
        at com.netscape.cmscore.cert.CertUtils.verifySystemCertByTag(CertUtils.java:936)
        at com.netscape.cmscore.cert.CertUtils.verifySystemCerts(CertUtils.java:1053)
        at com.netscape.cmscore.apps.CMSEngine.verifySystemCerts(CMSEngine.java:1803)
        at com.netscape.certsrv.apps.CMS.verifySystemCerts(CMS.java:1402)
        at com.netscape.cms.selftests.common.SystemCertsVerification.runSelfTest(SystemCertsVerification.java:193)
Caused by: java.security.cert.CertificateException: Invalid certificate: (-8179) Peer's Certificate issuer is not recognized.
        at org.mozilla.jss.CryptoManager.verifyCertificateNowNative(Native Method)
        at org.mozilla.jss.CryptoManager.verifyCertificate(CryptoManager.java:1554)
        at com.netscape.cmscore.cert.CertUtils.verifySystemCertByNickname(CertUtils.java:842)
        ... 44 more


</debug logs>


Test Case 2:  Create a external CA like mentioned in
============ http://pki.fedoraproject.org/wiki/Installing_CA_with_Existing_CA_Certificate_using_NSS_Database#Exporting_from_Existing_CA_Instance  (Installing New CA Instance (Step 1) )


Setup:
======

1. I created my csr request.
2. I get it signed by some other CA.
3. I did changes in /etc/pki/TestBZ/ca/subsystemCert.profile and i could see in step2 it failed with :
pkispawn    : INFO     ....... importing caSigningCert cert-TestBZ CA from cert_new
pkispawn    : INFO     ....... importing certificate chain caSigningCert External CA from chain_new
pkispawn    : INFO     ....... validating the signing certificate
pkispawn    : ERROR    ....... pki-server subsystem-cert-validate return code: 1
pkispawn    : ERROR    .......   Cert ID: signing
  Nickname: caSigningCert cert-TestBZ CA
  Usage: SSLCA
  Token: Internal Key Storage Token
  Status: INVALID
-----------------
Validation failed
-----------------

pkispawn    : DEBUG    ....... Error Type: CalledProcessError
pkispawn    : DEBUG    ....... Error Message: Command '['pki-server', 'subsystem-cert-validate', '-i', 'TestBZ', 'ca', 'signing']' returned non-zero exit status 1
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 528, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 283, in spawn
    verifier.verify_certificate('signing')
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 4646, in verify_certificate
    stderr=subprocess.STDOUT)
  File "/usr/lib64/python2.7/subprocess.py", line 575, in check_output
    raise CalledProcessError(retcode, cmd, output=output)


Installation failed: Command '['pki-server', 'subsystem-cert-validate', '-i', 'TestBZ', 'ca', 'signing']' returned non-zero exit status 1


Test Case 3: No changes done in any profile and we try to stepup externalCA
============ using 2 step installation.


Setup:
======

1. I created my csr request.
2. I get it signed by some other CA.
3. No changes done in any profile.Still i see same subsystem cert validation failure.I am not sure why it happens

pkispawn    : INFO     ....... importing caSigningCert cert-TestBZ CA from cert_new
pkispawn    : INFO     ....... importing certificate chain caSigningCert External CA from chain_new
pkispawn    : INFO     ....... validating the signing certificate
pkispawn    : ERROR    ....... pki-server subsystem-cert-validate return code: 1
pkispawn    : ERROR    .......   Cert ID: signing
  Nickname: caSigningCert cert-TestBZ CA
  Usage: SSLCA
  Token: Internal Key Storage Token
  Status: INVALID
-----------------
Validation failed
-----------------

pkispawn    : DEBUG    ....... Error Type: CalledProcessError
pkispawn    : DEBUG    ....... Error Message: Command '['pki-server', 'subsystem-cert-validate', '-i', 'TestBZ', 'ca', 'signing']' returned non-zero exit status 1
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 528, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 283, in spawn
    verifier.verify_certificate('signing')
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 4646, in verify_certificate
    stderr=subprocess.STDOUT)
  File "/usr/lib64/python2.7/subprocess.py", line 575, in check_output
    raise CalledProcessError(retcode, cmd, output=output)


Installation failed: Command '['pki-server', 'subsystem-cert-validate', '-i', 'TestBZ', 'ca', 'signing']' returned non-zero exit status 1

Comment 10 Christina Fu 2016-08-22 18:33:39 UTC

After installation, you do customization in the instance directory, not the global one.

Here is a link that explains it:
http://pki.fedoraproject.org/wiki/Custom_Installation

concept is two steps
1. installation
1.5 customization (this is where you make changes into the instance directory)
2. configuration

also, please verify with Asha, I think the procedure is to make sure your steps are correct, and you are absolutely sure that it failed the test before you mark it failed QE.  Not when you are still asking questions for clarification of steps.
Thanks.

Comment 11 Matthew Harmsen 2016-08-22 19:06:56 UTC

Because this was a procedural change, and did not require any code changes or new builds, moving status to MODIFIED so that it can be placed back ON_QA.

Comment 12 Geetika Kapoor 2016-08-23 07:04:51 UTC

Build::10.3.3-5.el7

New CA installation:

Setup::
=====

1. Refer http://pki.fedoraproject.org/wiki/Custom_Installation.
2. Use config file in 2 step.Config file is attached in BZ that has been used for testing.
	a. Configuration
	b. installation
3. Make changes in susbsystem.profile after configuration and then run installation.
4. Verify the certificate of subsystem.

Result:
=======

After test:
--------- 

Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x60000003
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
            Validity: 
                Not Before: Friday, September 2, 2016 1:28:33 PM EDT America/New_York
                Not  After: Tuesday, September 2, 2036 1:28:32 PM EDT America/New_York-
            Subject: CN=Subsystem Certificate,O=topology-02_Foobarmaster.org



    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x60000001
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
            Validity: 
                Not Before: Friday, September 2, 2016 1:28:32 PM EDT America/New_York
                Not  After: Thursday, August 23, 2018 1:28:32 PM EDT America/New_York
            Subject: CN=CA OCSP Signing Certificate,O=topology-02_Foobarmaster.org


    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x60000005
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=CA Signing Certificate,O=topology-02_Foobarmaster.org
            Validity: 
                Not Before: Friday, September 2, 2016 1:28:34 PM EDT America/New_York
                Not  After: Thursday, August 23, 2018 1:28:34 PM EDT America/New_York
            Subject: CN=PKI Administrator,E=caadmin,O=topology-02_Foobarmaster.org
            Subject Public Key Info: 
                Algorithm: RSA - 1.2.840.113549.1.1.1


[root@pki1 test_dir]# pki-server subsystem-cert-validate -i topology-02-CA-BZ ca 
  Cert ID: signing
  Nickname: caSigningCert cert-topology-02-CA-BZ CA
  Usage: SSLCA
  Token: Internal Key Storage Token
  Status: VALID

  Cert ID: ocsp_signing
  Nickname: ocspSigningCert cert-topology-02-CA-BZ CA
  Usage: StatusResponder
  Token: Internal Key Storage Token
  Status: VALID

  Cert ID: sslserver
  Nickname: Server-Cert cert-topology-02-CA-BZ
  Usage: SSLServer
  Token: Internal Key Storage Token
  Status: VALID

  Cert ID: subsystem
  Nickname: subsystemCert cert-topology-02-CA-BZ
  Usage: SSLClient
  Token: Internal Key Storage Token
  Status: VALID

  Cert ID: audit_signing
  Nickname: auditSigningCert cert-topology-02-CA-BZ CA
  Usage: ObjectSigner
  Token: Internal Key Storage Token
  Status: VALID
--------------------
Validation succeeded
--------------------

===================================================================================================
External CA:
------------

Setup::
=====

1. Refer http://pki.fedoraproject.org/wiki/Installing_CA_with_Externaly-Signed_CA_Certificate
2. Use config file as attached in BZ.Run step1.
3. Make changes in susbsystem.profile after step1 and then run step2.
4. Verify the certificate of subsystem.

Test Case 1:(subsystem validity > CA validity)
	Result :: it will take max validity as CA signing validity

Test Case 2: if subsytem time is less than CA extended time then:(subsystem validity < CA validity) 
	Result :: it will take max validity as mentioned in subsystem.profile


    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x60000002
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=CA Signing Certificate,O=example.com Security Domain
            Validity: 
                Not Before: Friday, September 2, 2016 3:00:17 PM EDT America/New_York
                Not  After: Friday, December 2, 2016 1:59:10 PM EST America/New_York
            Subject: CN=Subsystem Certificate,O=example.com Security Domain
            Subject Public Key Info: 
                Algorithm: RSA - 1.2.840.113549.1.1.1
    Certificate: 
        Data: 
            Version:  v3
            Serial Number: 0x60000004
            Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11
            Issuer: CN=CA Signing Certificate,O=example.com Security Domain
            Validity: 
                Not Before: Friday, September 2, 2016 3:00:17 PM EDT America/New_York
                Not  After: Friday, December 2, 2016 1:59:10 PM EST America/New_York
            Subject: CN=PKI Administrator,E=caadmin,O=example.com Security Domain

(subsystem validity > CA validity) Result :: it will take max validity as CA signing validity

    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1610612738 (0x60000002)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            commonName                = CA Signing Certificate
            organizationName          = example.com Security Domain
        Validity
            Not Before: Sep  2 19:39:45 2016 GMT
            Not After : May  2 19:39:00 2193 GMT
        Subject:
            commonName                = Subsystem Certificate
            organizationName          = example.com Security Domain
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption

if subsytem time is less than CA extended time then:(subsystem validity < CA validity) Result :: it will take max validity as mentioned in subsystem.profile

   Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1610612738 (0x60000002)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            commonName                = CA Signing Certificate
            organizationName          = example.com Security Domain
        Validity
            Not Before: Sep  2 19:43:01 2016 GMT
            Not After : Nov 13 20:43:01 2016 GMT
        Subject:
            commonName                = Subsystem Certificate
            organizationName          = example.com Security Domain
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:af:ec:88:98:8b:8d:fe:d5:43:ba:31:72:e6:a3:

Comment 13 Geetika Kapoor 2016-08-23 07:10:23 UTC

Created attachment 1193164 [details]
Config_files

This has configuration files and steps to test this BZ

Comment 14 Geetika Kapoor 2016-08-23 07:21:41 UTC

Additional Tests:

Test steps for extrenal CA::

1. pkispawn -f step1.cfg -s CA -vvv
2. rm -rf nssdb if already exists.
3. ./nssdb_script
4. Make changes in subsystem.profile.
5. pkisawn -f step2.cfg -s CA -vvv


Test Case 1: Empty value of range in subsystem.profile

Installation failed:
com.netscape.certsrv.base.PKIException: Error in setting certificate names and key sizes: java.io.IOException: Unable to create local certificate: java.lang.NumberFormatException: For input string: ""


Test Case 2: Invalid interger range provided.


Installation failed:
com.netscape.certsrv.base.PKIException: Error in setting certificate names and key sizes: java.io.IOException: Unable to create local certificate: java.lang.NumberFormatException: For input string: "78095689999999999999"

Test Case 3: "0" is added as range for validity

     commonName                = CA Signing Certificate
            organizationName          = example.com Security Domain
        Validity
            Not Before: Sep  2 20:06:26 2016 GMT
            Not After : Sep  2 20:06:26 2016 GMT
        Subject:
            commonName                = Subsystem Certificate
            organizationName          = example.com Security Domain
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption

Comment 16 errata-xmlrpc 2016-11-04 05:25:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html

Note You need to log in before you can comment on or make changes to this bug.