Bug 1367683 - getcert request command fails to use Sub CA using -X argument
Summary: getcert request command fails to use Sub CA using -X argument
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: certmonger   
(Show other bugs)
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jan Cholasta
QA Contact: Kaleem
Aneta Šteflová Petrová
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-17 08:45 UTC by Abhijeet Kasurde
Modified: 2016-11-04 07:50 UTC (History)
5 users (show)

Fixed In Version: certmonger-0.78.4-3.el7
Doc Type: Bug Fix
Doc Text:
*certmonger* no longer fails to request certificates from IdM sub-CAs The *certmonger* service previously used incorrect API calls to request certificates from IdM sub-Certificate Authorities (sub-CAs). As a consequence, the sub-CA setting was ignored and the certificate was always issued by the IdM root CA. This update fixes the bug, and *certmonger* now requests certificates from IdM sub-CAs as expected.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-04 07:50:59 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
console.log (8.69 KB, text/plain)
2016-08-17 08:49 UTC, Abhijeet Kasurde
no flags Details
console.log (1.99 KB, text/plain)
2016-09-20 06:19 UTC, Abhijeet Kasurde
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2519 normal SHIPPED_LIVE certmonger bug fix update 2016-11-03 14:15:16 UTC

Description Abhijeet Kasurde 2016-08-17 08:45:31 UTC
Description of problem:
When ipa-getcert request is triggered with Sub CA using -X argument, then command fails to issue certificate with Sub-CA as issuer.

See console.log for steps involved.

Version-Release number of selected component (if applicable):
ipa-server-4.4.0-7.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. ipa ca-add 
2. ipa-getcert request -k /samplereq1.key -f /samplereq1.crt -X SampleCA1 
3. View issued certificate for issuer name
4. View ipa-getcert list -i <request_id> for issuer name

Actual results:
Issuer Name in certificate issued is set to default IPA CA instead of Sub CA

Expected results:
Issuer Name in certificate issued should be set to Sub CA

Additional info:
As per IRC chat with jcholast, https://git.fedorahosted.org/cgit/certmonger.git/tree/src/ipa.c#n384 - here it should say "cacn" instead of "ca"

Comment 1 Abhijeet Kasurde 2016-08-17 08:46:02 UTC
Certmonger version used :: 

certmonger-0.78.4-2.el7.x86_64

Comment 2 Abhijeet Kasurde 2016-08-17 08:49 UTC
Created attachment 1191493 [details]
console.log

Comment 10 Abhijeet Kasurde 2016-09-20 06:19:02 UTC
Verified using IPA and Certmonger version ::

ipa-server-4.4.0-12.el7.x86_64
certmonger-0.78.4-3.el7.x86_64


Marking BZ as verified.

Comment 11 Abhijeet Kasurde 2016-09-20 06:19 UTC
Created attachment 1202711 [details]
console.log

Comment 15 errata-xmlrpc 2016-11-04 07:50:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2519.html


Note You need to log in before you can comment on or make changes to this bug.