RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1364867 - Lightweight CA GET {id}/chain returns bogus PEM data
Summary: Lightweight CA GET {id}/chain returns bogus PEM data
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-08 04:50 UTC by Fraser Tweedale
Modified: 2020-10-04 21:13 UTC (History)
3 users (show)

Fixed In Version: pki-core-10.3.3-5.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 05:26:58 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
ldap_data (177.69 KB, image/png)
2016-09-20 07:37 UTC, Geetika Kapoor 		no flags Details
debug (2.71 MB, text/plain)
2016-09-20 07:38 UTC, Geetika Kapoor 		no flags Details
non-hsm-debug (349.93 KB, application/zip)
2016-09-22 18:00 UTC, Geetika Kapoor 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2553 0 None None None 2020-10-04 21:13:51 UTC
Red Hat Product Errata RHBA-2016:2396 0 normal SHIPPED_LIVE pki-core bug fix and enhancement update 2016-11-03 13:55:03 UTC

Description Fraser Tweedale 2016-08-08 04:50:21 UTC 
Description of problem:

The lightweight CA PKCS #7 cert chain retrieval (PEM format) method returns bogus data: it returns the X.509 cert wrapped in PKCS7 pem header instead of PKCS #7 data. 


Version-Release number of selected component (if applicable):

10.3


How reproducible:

Always


Steps to Reproduce:
1. HTTP request 'GET /ca/authorities/chain' with header 'Accept: application/x-pem-file'

Actual results: 

Returned data is not a valid PEM-encoded PKCS #7 object.


Expected results:

Returned data is a valid PEM-encoded PKCS #7 object.


Additional info:
Comment 1 Fraser Tweedale 2016-08-08 04:52:01 UTC 
Fix has been committed to upstream master branch.
Comment 4 Geetika Kapoor 2016-09-19 09:52:09 UTC 
Hi Fraser,

How i can setup lightweight CA.I think if a CA is lightweight it should have isHostAuthority="true"???

Thanks
Geetika
Comment 5 Fraser Tweedale 2016-09-19 11:11:25 UTC 
Hi Geetika,

The "host authority" is the "main CA" i.e. the CA that gets set up when
you spawn a CA instance.  Only this CA will have "isHostAuthority: true";
all lightweight CAs will have "false".

Actually, to verify this ticket you don't need to create a lightweight
CA at all.  Querying the host authority will suffice.



  curl --silent --header "Accept: application/x-pem-file" \
    https://$(hostname):8443/ca/rest/authorities/<authority-uuid>/chain \
    | openssl pkcs7 -text

If openssl parses the returned data successfully and returns exit code 0,
the fix is verified.
Comment 6 Geetika Kapoor 2016-09-20 05:55:35 UTC 
Hi Fraser, 

I tried opening "https://nocp30.idm.lab.eng.rdu2.redhat.com:30142/ca/rest/authorities" I see below mentioned data :

==========================================================================
<collection><authority isHostAuthority="false" id="5bdfcd18-d4a3-47be-a99f-cd0891859713" issuerDN="CN=External CA,O=EXTERNAL" serial="8704" dn="CN=CA Signing Certificate,O=EXAMPLE" enabled="true" description="Host authority" ready="false"/></collection>
=========================================================================

-- since isHostAuthority="false" , i think it can be considered as lightweight CA .

Later i use command as mentioned above , it doesn't give any data .

curl --silent --header "Accept: application/x-pem-file" https://nocp30.idm.lab.eng.rdu2.redhat.com:30142/ca/rest/authorities/5bdfcd18-d4a3-47be-a99f-cd0891859713/chain | openssl pkcs7 -text
unable to load PKCS7 object
140575464462240:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: PKCS7

Thanks
Geetika
Comment 7 Fraser Tweedale 2016-09-20 06:32:43 UTC 
Geetika, can you please send me the `/var/log/pki/<instance>/ca/debug`
log file, and advise what is the contents of the `ou=authorities,ou=ca,{basedn}`
LDAP subtree?

In the meantime, you may be able to verify the issue if you deploy it
as part of IPA, because IPA sets everything up properly for lightweight CAs.

But certainly I need to understand exactly what is going on in your
scenario.  (It might be "normal", just surprising, but I need logs and
LDAP data to confirm).

Thanks!
Comment 8 Geetika Kapoor 2016-09-20 07:37:23 UTC 
Created attachment 1202738 [details]
ldap_data
Comment 9 Geetika Kapoor 2016-09-20 07:38:10 UTC 
Created attachment 1202739 [details]
debug
Comment 10 Geetika Kapoor 2016-09-20 07:39:06 UTC 
Sure Fraser all the needed information is attached.
Comment 11 Fraser Tweedale 2016-09-21 05:11:34 UTC 
The installation is using HSM.  Please try and verify on a non-HSM
Dogtag installation (we don't support lightweight CAs on HSM).
Comment 12 Geetika Kapoor 2016-09-21 10:41:41 UTC 
This is not working with external CA (HSM as well as non HSM).
Marking this bug as assigned.
Comment 13 Fraser Tweedale 2016-09-22 03:16:52 UTC 
Two new bugs created for problems encountered during verification:

- two-step externally-signed CA installation fails due to missing AuthorityID
  https://bugzilla.redhat.com/show_bug.cgi?id=1378275
- Spurious host authority entries created
  https://bugzilla.redhat.com/show_bug.cgi?id=1378277

As for this issue, I think even with externally-signed CA (but NOT
HSM-based) you should still be able to verify it with the following
command: 

  # curl --insecure --silent \
      --header 'Accept: application/x-pem-file' \
      https://$(hostname):8443/ca/rest/authorities/<authority-id>/chain \
    | openssl pkcs7 -noout
  # echo $?
  0

As before, find the <authority-id>
If the pipeline runs successfully, it is verified (the response is a
valid PEM-encoded PKCS #7 object)

If it does not run successfully, please include the debug log file and
the verbose Curl output:

  curl -v --insecure --silent \
      --header 'Accept: application/x-pem-file' \
      https://$(hostname):8443/ca/rest/authorities/<authority-id>/chain
Comment 14 Matthew Harmsen 2016-09-22 17:16:20 UTC 
(In reply to Fraser Tweedale from comment #13)
> Two new bugs created for problems encountered during verification:
> 
> - two-step externally-signed CA installation fails due to missing AuthorityID
>   https://bugzilla.redhat.com/show_bug.cgi?id=1378275
> - Spurious host authority entries created
>   https://bugzilla.redhat.com/show_bug.cgi?id=1378277
> 

Both of these bugs have been marked as potential ZStream candidates.

> As for this issue, I think even with externally-signed CA (but NOT
> HSM-based) you should still be able to verify it with the following
> command: 
> 
>   # curl --insecure --silent \
>       --header 'Accept: application/x-pem-file' \
>       https://$(hostname):8443/ca/rest/authorities/<authority-id>/chain \
>     | openssl pkcs7 -noout
>   # echo $?
>   0
> 
> As before, find the <authority-id>
> If the pipeline runs successfully, it is verified (the response is a
> valid PEM-encoded PKCS #7 object)
> 
> If it does not run successfully, please include the debug log file and
> the verbose Curl output:
> 
>   curl -v --insecure --silent \
>       --header 'Accept: application/x-pem-file' \
>       https://$(hostname):8443/ca/rest/authorities/<authority-id>/chain

Resetting Bug back to ON_QA.
Comment 15 Geetika Kapoor 2016-09-22 17:40:13 UTC 
above never worked with ExternalCA with/without HSM
Comment 16 Geetika Kapoor 2016-09-22 17:58:14 UTC 
non-hsm:

curl --silent --header "Accept: application/x-pem-file" https://pki1.example.com:30142/ca/rest/authorities/7e2db366-2b72-4694-b345-d0da6a634b9f/chain | openssl pkcs7 -text
unable to load PKCS7 object
140143631599520:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: PKCS7


Debugs : logs are attached
Comment 17 Geetika Kapoor 2016-09-22 18:00:46 UTC 
Created attachment 1203868 [details]
non-hsm-debug
Comment 18 Geetika Kapoor 2016-09-23 04:59:52 UTC 
curl --silent -k --header "Accept: application/x-pem-file" https://pki1.example.com:30142/ca/rest/authorities/7e2db366-2b72-4694-b345-d0da6a634b9f/chain | openssl pkcs7 -text
-----BEGIN PKCS7-----
MIIJbAYJKoZIhvcNAQcCoIIJXTCCCVkCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIJ
PTCCA/0wggHloAMCAQICAhAAMA0GCSqGSIb3DQEBCwUAMCkxETAPBgNVBAoMCEVY
VEVSTkFMMRQwEgYDVQQDDAtFeHRlcm5hbCBDQTAeFw0xNjA5MTUwNjE3MjVaFw0x
NzA5MjUwNjE3MjVaMDMxEDAOBgNVBAoTB0VYQU1QTEUxHzAdBgNVBAMTFkNBIFNp
Z25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCrxtaUa4mHOch3qVsC/a2f32TmC27yxKUKtiIzRGpRnwQZAvRf/iNdzL5IUZli
u/Ss63nEV8agZAJxwR399APw4eu8RuecXMMnYYaNslqM07sJB3ORX3ycl2N24xqX
3LjA+w6qbzs8oYeeIry0Nq5obovwDkmdQr+HPfJSSUjul6LY7oveuzfL7xjsWbP4
W1gYvsY6c06lnPAIhCmwZGx+I2o+Xt1wJJawxk2gq/gzJS5nb8qmAIXYmQK0Dg4I
+6oIez+zQGfaY7hXhaKubE8OvoqiVJQYjOqYN7nmv77rba/1pchh9t1kpiIo0Fr0
mophkD4vPWuJsVobaXIeQI8rAgMBAAGjJTAjMA4GA1UdDwEB/wQEAwIBhjARBglg
hkgBhvhCAQEEBAMCAjQwDQYJKoZIhvcNAQELBQADggIBAJGW4Afh7hqtncNmZ8OP
qSw8nDHQRg2i4zRfsb//61/L5nTCKRYckES8WpJEvq7uKwvxdaLx6fjRSBk2maQQ
D/tkukFXpViZBZNcaRVws1jvDU9JCD4BeLbJCGzSTgnoOY3fX2gz3E7k541HMPZe
pgtx21MVqhX8lwTBk8Mg3+9mikCoUtR9xxpLifMykAS4yGM0q+Zgn9HGgQ7QUc4+
yQqDD3PoKslLeQ1/n0wi91INobBQiD9ks2MGIRtz4dkhzWtiOBHLdGW2WocQxMbM
iJnI++W/ONTVTXr/S5tdBVIGj7gIRmxHly7Jq7iM0sURuBuQQn2R/mq3iFxJKjCK
455Znv8A+XDbw+bHjO508NvhalJD4seOEBBuwc221rNdD9ceqHs8vbEng/SizQ0O
DZBYNT2prxporf96O+dpsJIz9FFCEP44xhUize1IG6BeStJN/RSXMW04eTDldLdV
L/fr24FPhpaFjlnDVh+TmmGZhp6bQHRIGKI35xE7we+OvwlFv6RXfl+jPy+9AURM
nTVbH0i8gy60VMuXIUb9hAv+iTLL++emusvmtOqoWmdnkuoB4vjeKQyOi48C1o1D
TtPDui6CnePAowECY4NZT/6mmndN2SjpISnU/KLhxwN7HIlh36axZNL/UddebEao
FDwSVz6eVxOk8754MNswVRIIMIIFODCCAyCgAwIBAgIJALs8aVwiXfLWMA0GCSqG
SIb3DQEBCwUAMCkxETAPBgNVBAoMCEVYVEVSTkFMMRQwEgYDVQQDDAtFeHRlcm5h
bCBDQTAeFw0xNjA5MTUwNjE3MDVaFw0zNjA5MTAwNjE3MDVaMCkxETAPBgNVBAoM
CEVYVEVSTkFMMRQwEgYDVQQDDAtFeHRlcm5hbCBDQTCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBAMeMxWVPN7wpMeyXAR0arPoMt7MWM7VDIm2CImYqZWXK
sRSvJtw3j63M4EO9dQhdWsl1rqNzPJtXH0oZyR07M28Z1F9RDA2Bk51P7qqwOS07
0Vud0BQHv+20WbcUoQWMdlzC+ILZd053HVpR5RHgQt2H8/gByMwIo+UY1GxNTYq1
j6N6h51shwOQdidv/rmHiq8yC4wuXkkOQQHGuBu4/ldwkBrZV3Ipd1fziX29CKZG
zlYUf2J9gnDkeLqJZm2hHsubI74EyZSL1zGKLngesTEVFVVQ93AaFKSgvml8FW19
KLXoD/PmHKq4QvNXWK14aV085ATzL/w0ooR5E73PPCyU+XKZoJeoyFbWZNJKSYD9
hXE9gXjM5fGhHlCQN/WoaUUCf6+PIbIziGztzmqXGns3vjTVIQPf8efWI/0Z21iC
tkqd1+O92xMvONHY34UUOSvOsRKY4Nhxz/N3M2kKaYvFGwH0svoP3EV5BzlrzuZD
oVGkmiWEwBZ3DI0VBY2rF5gsWGheHRbvJ8kS8ycEOS6VyUU0xcnobFjCB5BGh22B
5cYyMrOjjBCTwUnnZj9OUE0ZCQeT8sS17kysdXt1kDkEfvjXIGC7OQ8ufMJnkpNg
x1SPaYxWeucNfu3ODsQyhw19v5TThpKEw+SJn5rJH0Uu9BLL8BAY0rGg72+MVdVH
AgMBAAGjYzBhMB0GA1UdDgQWBBRhLHfDH7ILVRq1G+apI88DPALDpTAfBgNVHSME
GDAWgBRhLHfDH7ILVRq1G+apI88DPALDpTAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
DwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAubSSJDg8/4kx23Z92pkpf5QI
qz2APDn99rc1evyS7MEjEZ6ShrLp2cy5Fx6KmuLnFm91NKwWoOO6Zvw+qGzsqU4+
JALsYqW/80LEPpUHbYXOy8XY3Ed97HuRcWLt9B8XqVAQ9ZHQ+S5Ksy7xCzqYvxX8
GwbroyXAWR8Jfl1t9NGpwDkjQ4Klh1k+J0ylosYRD0Z8rOiCjQquGiMQWTI6G0co
/JKSMA0amrcvCeQBEP/0kEsrd3K1UUffo6qgaZ4jxGqpQwPRT4QrxBP2dGi3RhBT
TTAfr6l5PprtjYcBk8fx84YrbaKnWH29bPST4Bw7UrGMUqB3ISt+H9IYj0CB355C
dDuPrJl9IqeNepoTp4ngBmSqXXIP0hQSQZT3gqhgjkBtwytZEVP6PoEdRGZzc1xX
d+w9C1v3Ea9qr7G0KdeVIy+3sRBS+WrJjU4e1NvTqCgmFzjisVff+LSCcQm/pq+u
I77EyORZYhwKbAq6rj5i7tRvuFIehEeQmHBHTcQRhyDxYyeENz8ch1fT0LBO2h5Q
jvxV2UVJklHUjY3mMwRWHzOKaiR3HLrBiiyP3es+cNd13C5KhFmSLusefZrDRQGt
jOV0eXYLxM9f8ZW6HgXe+P5Ku82e7xvOrKCR8QB1tlfv2NJp3TB6oFIgLnoL3Q9H
w0ISzcvsFVH7h5Eex1IxAA==
-----END PKCS7-----


Decoded certificate ::

PKCS#7 Detailed Information
    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4096 (0x1000)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=EXTERNAL, CN=External CA
        Validity
            Not Before: Sep 15 06:17:25 2016 GMT
            Not After : Sep 25 06:17:25 2017 GMT
        Subject: O=EXAMPLE, CN=CA Signing Certificate
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ab:c6:d6:94:6b:89:87:39:c8:77:a9:5b:02:fd:
                    ad:9f:df:64:e6:0b:6e:f2:c4:a5:0a:b6:22:33:44:
                    6a:51:9f:04:19:02:f4:5f:fe:23:5d:cc:be:48:51:
                    99:62:bb:f4:ac:eb:79:c4:57:c6:a0:64:02:71:c1:
                    1d:fd:f4:03:f0:e1:eb:bc:46:e7:9c:5c:c3:27:61:
                    86:8d:b2:5a:8c:d3:bb:09:07:73:91:5f:7c:9c:97:
                    63:76:e3:1a:97:dc:b8:c0:fb:0e:aa:6f:3b:3c:a1:
                    87:9e:22:bc:b4:36:ae:68:6e:8b:f0:0e:49:9d:42:
                    bf:87:3d:f2:52:49:48:ee:97:a2:d8:ee:8b:de:bb:
                    37:cb:ef:18:ec:59:b3:f8:5b:58:18:be:c6:3a:73:
                    4e:a5:9c:f0:08:84:29:b0:64:6c:7e:23:6a:3e:5e:
                    dd:70:24:96:b0:c6:4d:a0:ab:f8:33:25:2e:67:6f:
                    ca:a6:00:85:d8:99:02:b4:0e:0e:08:fb:aa:08:7b:
                    3f:b3:40:67:da:63:b8:57:85:a2:ae:6c:4f:0e:be:
                    8a:a2:54:94:18:8c:ea:98:37:b9:e6:bf:be:eb:6d:
                    af:f5:a5:c8:61:f6:dd:64:a6:22:28:d0:5a:f4:9a:
                    8a:61:90:3e:2f:3d:6b:89:b1:5a:1b:69:72:1e:40:
                    8f:2b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            Netscape Cert Type: 
                S/MIME, Object Signing, SSL CA
    Signature Algorithm: sha256WithRSAEncryption
         91:96:e0:07:e1:ee:1a:ad:9d:c3:66:67:c3:8f:a9:2c:3c:9c:
         31:d0:46:0d:a2:e3:34:5f:b1:bf:ff:eb:5f:cb:e6:74:c2:29:
         16:1c:90:44:bc:5a:92:44:be:ae:ee:2b:0b:f1:75:a2:f1:e9:
         f8:d1:48:19:36:99:a4:10:0f:fb:64:ba:41:57:a5:58:99:05:
         93:5c:69:15:70:b3:58:ef:0d:4f:49:08:3e:01:78:b6:c9:08:
         6c:d2:4e:09:e8:39:8d:df:5f:68:33:dc:4e:e4:e7:8d:47:30:
         f6:5e:a6:0b:71:db:53:15:aa:15:fc:97:04:c1:93:c3:20:df:
         ef:66:8a:40:a8:52:d4:7d:c7:1a:4b:89:f3:32:90:04:b8:c8:
         63:34:ab:e6:60:9f:d1:c6:81:0e:d0:51:ce:3e:c9:0a:83:0f:
         73:e8:2a:c9:4b:79:0d:7f:9f:4c:22:f7:52:0d:a1:b0:50:88:
         3f:64:b3:63:06:21:1b:73:e1:d9:21:cd:6b:62:38:11:cb:74:
         65:b6:5a:87:10:c4:c6:cc:88:99:c8:fb:e5:bf:38:d4:d5:4d:
         7a:ff:4b:9b:5d:05:52:06:8f:b8:08:46:6c:47:97:2e:c9:ab:
         b8:8c:d2:c5:11:b8:1b:90:42:7d:91:fe:6a:b7:88:5c:49:2a:
         30:8a:e3:9e:59:9e:ff:00:f9:70:db:c3:e6:c7:8c:ee:74:f0:
         db:e1:6a:52:43:e2:c7:8e:10:10:6e:c1:cd:b6:d6:b3:5d:0f:
         d7:1e:a8:7b:3c:bd:b1:27:83:f4:a2:cd:0d:0e:0d:90:58:35:
         3d:a9:af:1a:68:ad:ff:7a:3b:e7:69:b0:92:33:f4:51:42:10:
         fe:38:c6:15:22:cd:ed:48:1b:a0:5e:4a:d2:4d:fd:14:97:31:
         6d:38:79:30:e5:74:b7:55:2f:f7:eb:db:81:4f:86:96:85:8e:
         59:c3:56:1f:93:9a:61:99:86:9e:9b:40:74:48:18:a2:37:e7:
         11:3b:c1:ef:8e:bf:09:45:bf:a4:57:7e:5f:a3:3f:2f:bd:01:
         44:4c:9d:35:5b:1f:48:bc:83:2e:b4:54:cb:97:21:46:fd:84:
         0b:fe:89:32:cb:fb:e7:a6:ba:cb:e6:b4:ea:a8:5a:67:67:92:
         ea:01:e2:f8:de:29:0c:8e:8b:8f:02:d6:8d:43:4e:d3:c3:ba:
         2e:82:9d:e3:c0:a3:01:02:63:83:59:4f:fe:a6:9a:77:4d:d9:
         28:e9:21:29:d4:fc:a2:e1:c7:03:7b:1c:89:61:df:a6:b1:64:
         d2:ff:51:d7:5e:6c:46:a8:14:3c:12:57:3e:9e:57:13:a4:f3:
         be:78:30:db:30:55:12:08
-----BEGIN CERTIFICATE-----
MIID/TCCAeWgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwKTERMA8GA1UECgwIRVhU
RVJOQUwxFDASBgNVBAMMC0V4dGVybmFsIENBMB4XDTE2MDkxNTA2MTcyNVoXDTE3
MDkyNTA2MTcyNVowMzEQMA4GA1UEChMHRVhBTVBMRTEfMB0GA1UEAxMWQ0EgU2ln
bmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKvG1pRriYc5yHepWwL9rZ/fZOYLbvLEpQq2IjNEalGfBBkC9F/+I13MvkhRmWK7
9KzrecRXxqBkAnHBHf30A/Dh67xG55xcwydhho2yWozTuwkHc5FffJyXY3bjGpfc
uMD7DqpvOzyhh54ivLQ2rmhui/AOSZ1Cv4c98lJJSO6Xotjui967N8vvGOxZs/hb
WBi+xjpzTqWc8AiEKbBkbH4jaj5e3XAklrDGTaCr+DMlLmdvyqYAhdiZArQODgj7
qgh7P7NAZ9pjuFeFoq5sTw6+iqJUlBiM6pg3uea/vuttr/WlyGH23WSmIijQWvSa
imGQPi89a4mxWhtpch5AjysCAwEAAaMlMCMwDgYDVR0PAQH/BAQDAgGGMBEGCWCG
SAGG+EIBAQQEAwICNDANBgkqhkiG9w0BAQsFAAOCAgEAkZbgB+HuGq2dw2Znw4+p
LDycMdBGDaLjNF+xv//rX8vmdMIpFhyQRLxakkS+ru4rC/F1ovHp+NFIGTaZpBAP
+2S6QVelWJkFk1xpFXCzWO8NT0kIPgF4tskIbNJOCeg5jd9faDPcTuTnjUcw9l6m
C3HbUxWqFfyXBMGTwyDf72aKQKhS1H3HGkuJ8zKQBLjIYzSr5mCf0caBDtBRzj7J
CoMPc+gqyUt5DX+fTCL3Ug2hsFCIP2SzYwYhG3Ph2SHNa2I4Ect0ZbZahxDExsyI
mcj75b841NVNev9Lm10FUgaPuAhGbEeXLsmruIzSxRG4G5BCfZH+areIXEkqMIrj
nlme/wD5cNvD5seM7nTw2+FqUkPix44QEG7BzbbWs10P1x6oezy9sSeD9KLNDQ4N
kFg1PamvGmit/3o752mwkjP0UUIQ/jjGFSLN7UgboF5K0k39FJcxbTh5MOV0t1Uv
9+vbgU+GloWOWcNWH5OaYZmGnptAdEgYojfnETvB746/CUW/pFd+X6M/L70BREyd
NVsfSLyDLrRUy5chRv2EC/6JMsv756a6y+a06qhaZ2eS6gHi+N4pDI6LjwLWjUNO
08O6LoKd48CjAQJjg1lP/qaad03ZKOkhKdT8ouHHA3sciWHfprFk0v9R115sRqgU
PBJXPp5XE6Tzvngw2zBVEgg=
-----END CERTIFICATE-----

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 13491774428129653462 (0xbb3c695c225df2d6)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=EXTERNAL, CN=External CA
        Validity
            Not Before: Sep 15 06:17:05 2016 GMT
            Not After : Sep 10 06:17:05 2036 GMT
        Subject: O=EXTERNAL, CN=External CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:c7:8c:c5:65:4f:37:bc:29:31:ec:97:01:1d:1a:
                    ac:fa:0c:b7:b3:16:33:b5:43:22:6d:82:22:66:2a:
                    65:65:ca:b1:14:af:26:dc:37:8f:ad:cc:e0:43:bd:
                    75:08:5d:5a:c9:75:ae:a3:73:3c:9b:57:1f:4a:19:
                    c9:1d:3b:33:6f:19:d4:5f:51:0c:0d:81:93:9d:4f:
                    ee:aa:b0:39:2d:3b:d1:5b:9d:d0:14:07:bf:ed:b4:
                    59:b7:14:a1:05:8c:76:5c:c2:f8:82:d9:77:4e:77:
                    1d:5a:51:e5:11:e0:42:dd:87:f3:f8:01:c8:cc:08:
                    a3:e5:18:d4:6c:4d:4d:8a:b5:8f:a3:7a:87:9d:6c:
                    87:03:90:76:27:6f:fe:b9:87:8a:af:32:0b:8c:2e:
                    5e:49:0e:41:01:c6:b8:1b:b8:fe:57:70:90:1a:d9:
                    57:72:29:77:57:f3:89:7d:bd:08:a6:46:ce:56:14:
                    7f:62:7d:82:70:e4:78:ba:89:66:6d:a1:1e:cb:9b:
                    23:be:04:c9:94:8b:d7:31:8a:2e:78:1e:b1:31:15:
                    15:55:50:f7:70:1a:14:a4:a0:be:69:7c:15:6d:7d:
                    28:b5:e8:0f:f3:e6:1c:aa:b8:42:f3:57:58:ad:78:
                    69:5d:3c:e4:04:f3:2f:fc:34:a2:84:79:13:bd:cf:
                    3c:2c:94:f9:72:99:a0:97:a8:c8:56:d6:64:d2:4a:
                    49:80:fd:85:71:3d:81:78:cc:e5:f1:a1:1e:50:90:
                    37:f5:a8:69:45:02:7f:af:8f:21:b2:33:88:6c:ed:
                    ce:6a:97:1a:7b:37:be:34:d5:21:03:df:f1:e7:d6:
                    23:fd:19:db:58:82:b6:4a:9d:d7:e3:bd:db:13:2f:
                    38:d1:d8:df:85:14:39:2b:ce:b1:12:98:e0:d8:71:
                    cf:f3:77:33:69:0a:69:8b:c5:1b:01:f4:b2:fa:0f:
                    dc:45:79:07:39:6b:ce:e6:43:a1:51:a4:9a:25:84:
                    c0:16:77:0c:8d:15:05:8d:ab:17:98:2c:58:68:5e:
                    1d:16:ef:27:c9:12:f3:27:04:39:2e:95:c9:45:34:
                    c5:c9:e8:6c:58:c2:07:90:46:87:6d:81:e5:c6:32:
                    32:b3:a3:8c:10:93:c1:49:e7:66:3f:4e:50:4d:19:
                    09:07:93:f2:c4:b5:ee:4c:ac:75:7b:75:90:39:04:
                    7e:f8:d7:20:60:bb:39:0f:2e:7c:c2:67:92:93:60:
                    c7:54:8f:69:8c:56:7a:e7:0d:7e:ed:ce:0e:c4:32:
                    87:0d:7d:bf:94:d3:86:92:84:c3:e4:89:9f:9a:c9:
                    1f:45:2e:f4:12:cb:f0:10:18:d2:b1:a0:ef:6f:8c:
                    55:d5:47
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                61:2C:77:C3:1F:B2:0B:55:1A:B5:1B:E6:A9:23:CF:03:3C:02:C3:A5
            X509v3 Authority Key Identifier: 
                keyid:61:2C:77:C3:1F:B2:0B:55:1A:B5:1B:E6:A9:23:CF:03:3C:02:C3:A5

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         b9:b4:92:24:38:3c:ff:89:31:db:76:7d:da:99:29:7f:94:08:
         ab:3d:80:3c:39:fd:f6:b7:35:7a:fc:92:ec:c1:23:11:9e:92:
         86:b2:e9:d9:cc:b9:17:1e:8a:9a:e2:e7:16:6f:75:34:ac:16:
         a0:e3:ba:66:fc:3e:a8:6c:ec:a9:4e:3e:24:02:ec:62:a5:bf:
         f3:42:c4:3e:95:07:6d:85:ce:cb:c5:d8:dc:47:7d:ec:7b:91:
         71:62:ed:f4:1f:17:a9:50:10:f5:91:d0:f9:2e:4a:b3:2e:f1:
         0b:3a:98:bf:15:fc:1b:06:eb:a3:25:c0:59:1f:09:7e:5d:6d:
         f4:d1:a9:c0:39:23:43:82:a5:87:59:3e:27:4c:a5:a2:c6:11:
         0f:46:7c:ac:e8:82:8d:0a:ae:1a:23:10:59:32:3a:1b:47:28:
         fc:92:92:30:0d:1a:9a:b7:2f:09:e4:01:10:ff:f4:90:4b:2b:
         77:72:b5:51:47:df:a3:aa:a0:69:9e:23:c4:6a:a9:43:03:d1:
         4f:84:2b:c4:13:f6:74:68:b7:46:10:53:4d:30:1f:af:a9:79:
         3e:9a:ed:8d:87:01:93:c7:f1:f3:86:2b:6d:a2:a7:58:7d:bd:
         6c:f4:93:e0:1c:3b:52:b1:8c:52:a0:77:21:2b:7e:1f:d2:18:
         8f:40:81:df:9e:42:74:3b:8f:ac:99:7d:22:a7:8d:7a:9a:13:
         a7:89:e0:06:64:aa:5d:72:0f:d2:14:12:41:94:f7:82:a8:60:
         8e:40:6d:c3:2b:59:11:53:fa:3e:81:1d:44:66:73:73:5c:57:
         77:ec:3d:0b:5b:f7:11:af:6a:af:b1:b4:29:d7:95:23:2f:b7:
         b1:10:52:f9:6a:c9:8d:4e:1e:d4:db:d3:a8:28:26:17:38:e2:
         b1:57:df:f8:b4:82:71:09:bf:a6:af:ae:23:be:c4:c8:e4:59:
         62:1c:0a:6c:0a:ba:ae:3e:62:ee:d4:6f:b8:52:1e:84:47:90:
         98:70:47:4d:c4:11:87:20:f1:63:27:84:37:3f:1c:87:57:d3:
         d0:b0:4e:da:1e:50:8e:fc:55:d9:45:49:92:51:d4:8d:8d:e6:
         33:04:56:1f:33:8a:6a:24:77:1c:ba:c1:8a:2c:8f:dd:eb:3e:
         70:d7:75:dc:2e:4a:84:59:92:2e:eb:1e:7d:9a:c3:45:01:ad:
         8c:e5:74:79:76:0b:c4:cf:5f:f1:95:ba:1e:05:de:f8:fe:4a:
         bb:cd:9e:ef:1b:ce:ac:a0:91:f1:00:75:b6:57:ef:d8:d2:69:
         dd:30:7a:a0:52:20:2e:7a:0b:dd:0f:47:c3:42:12:cd:cb:ec:
         15:51:fb:87:91:1e:c7:52
-----BEGIN CERTIFICATE-----
MIIFODCCAyCgAwIBAgIJALs8aVwiXfLWMA0GCSqGSIb3DQEBCwUAMCkxETAPBgNV
BAoMCEVYVEVSTkFMMRQwEgYDVQQDDAtFeHRlcm5hbCBDQTAeFw0xNjA5MTUwNjE3
MDVaFw0zNjA5MTAwNjE3MDVaMCkxETAPBgNVBAoMCEVYVEVSTkFMMRQwEgYDVQQD
DAtFeHRlcm5hbCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMeM
xWVPN7wpMeyXAR0arPoMt7MWM7VDIm2CImYqZWXKsRSvJtw3j63M4EO9dQhdWsl1
rqNzPJtXH0oZyR07M28Z1F9RDA2Bk51P7qqwOS070Vud0BQHv+20WbcUoQWMdlzC
+ILZd053HVpR5RHgQt2H8/gByMwIo+UY1GxNTYq1j6N6h51shwOQdidv/rmHiq8y
C4wuXkkOQQHGuBu4/ldwkBrZV3Ipd1fziX29CKZGzlYUf2J9gnDkeLqJZm2hHsub
I74EyZSL1zGKLngesTEVFVVQ93AaFKSgvml8FW19KLXoD/PmHKq4QvNXWK14aV08
5ATzL/w0ooR5E73PPCyU+XKZoJeoyFbWZNJKSYD9hXE9gXjM5fGhHlCQN/WoaUUC
f6+PIbIziGztzmqXGns3vjTVIQPf8efWI/0Z21iCtkqd1+O92xMvONHY34UUOSvO
sRKY4Nhxz/N3M2kKaYvFGwH0svoP3EV5BzlrzuZDoVGkmiWEwBZ3DI0VBY2rF5gs
WGheHRbvJ8kS8ycEOS6VyUU0xcnobFjCB5BGh22B5cYyMrOjjBCTwUnnZj9OUE0Z
CQeT8sS17kysdXt1kDkEfvjXIGC7OQ8ufMJnkpNgx1SPaYxWeucNfu3ODsQyhw19
v5TThpKEw+SJn5rJH0Uu9BLL8BAY0rGg72+MVdVHAgMBAAGjYzBhMB0GA1UdDgQW
BBRhLHfDH7ILVRq1G+apI88DPALDpTAfBgNVHSMEGDAWgBRhLHfDH7ILVRq1G+ap
I88DPALDpTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG
9w0BAQsFAAOCAgEAubSSJDg8/4kx23Z92pkpf5QIqz2APDn99rc1evyS7MEjEZ6S
hrLp2cy5Fx6KmuLnFm91NKwWoOO6Zvw+qGzsqU4+JALsYqW/80LEPpUHbYXOy8XY
3Ed97HuRcWLt9B8XqVAQ9ZHQ+S5Ksy7xCzqYvxX8GwbroyXAWR8Jfl1t9NGpwDkj
Q4Klh1k+J0ylosYRD0Z8rOiCjQquGiMQWTI6G0co/JKSMA0amrcvCeQBEP/0kEsr
d3K1UUffo6qgaZ4jxGqpQwPRT4QrxBP2dGi3RhBTTTAfr6l5PprtjYcBk8fx84Yr
baKnWH29bPST4Bw7UrGMUqB3ISt+H9IYj0CB355CdDuPrJl9IqeNepoTp4ngBmSq
XXIP0hQSQZT3gqhgjkBtwytZEVP6PoEdRGZzc1xXd+w9C1v3Ea9qr7G0KdeVIy+3
sRBS+WrJjU4e1NvTqCgmFzjisVff+LSCcQm/pq+uI77EyORZYhwKbAq6rj5i7tRv
uFIehEeQmHBHTcQRhyDxYyeENz8ch1fT0LBO2h5QjvxV2UVJklHUjY3mMwRWHzOK
aiR3HLrBiiyP3es+cNd13C5KhFmSLusefZrDRQGtjOV0eXYLxM9f8ZW6HgXe+P5K
u82e7xvOrKCR8QB1tlfv2NJp3TB6oFIgLnoL3Q9Hw0ISzcvsFVH7h5Eex1I=
-----END CERTIFICATE-----
Comment 20 errata-xmlrpc 2016-11-04 05:26:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2396.html
Note You need to log in before you can comment on or make changes to this bug.