Hide Forgot
This came out of the PP requirement: FIA_CMC_EXT.1.3 Basically, when a subordinate CA acts as a client to its superior CA, the cert requests and responses should be carried in CMC format and protocol. Since retrofitting CMC into the existing installation system is not feasibly as installation is a "one-time-thing" that doesn't happen often, our plan is to give some manual CC setup steps with assistance of some code changes: * for sub-ca's, just give instruction on manual cmc request generation and submission to the superior ca, and then use the "existing CA" feature to install * for non-ca subsystems, such as KRA, OCSP, TPS, and TKS, we need some (possibly not a lot) changes to allow pre-existing system certificates to be used. We add instruction on manual cmc request generation and submission to the ca before directing people to use this new "existing all subsystems" feature. For the above, there is already a ticket: https://pagure.io/dogtagpki/issue/2280 Another area needs to be covered is a set of system certificate profiles for CMC requests to complete the above strategy.
note that the cmc system cert enrollment profiles have been pushed to Dogtag master. See Usage info here: http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29
Fixed in master: * https://github.com/dogtagpki/pki/commit/959db34796b4ed29618d3479150f88ae6062f6e7 * https://github.com/dogtagpki/pki/commit/eeeb8e05745ab90abe2b322ebd6804cc5a0c45bd * https://github.com/dogtagpki/pki/commit/3a7bfb28668076ed685f99ce67c4fab769204071 * https://github.com/dogtagpki/pki/commit/b98118f2776c38cb4a5d25ff39a65b2a474a0e00 * https://github.com/dogtagpki/pki/commit/d7fc48917736c271c7e3f7b9bc7172d82fa22de8 Docs: * http://pki.fedoraproject.org/wiki/Installing_CA_with_External_CA_Signing_Certificate * http://pki.fedoraproject.org/wiki/Installing_KRA_with_External_Certificates * http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates
Test Environment: ================ rpm -qa pki-* pki-tests-CoreOS-dogtag-aakkiang-test-rhcs-1.0.8.20170618003302-0.noarch pki-console-10.5.1-2.el7pki.noarch pki-server-10.5.1-4.el7.noarch pki-ca-10.5.1-4.el7.noarch pki-tests-pki-tests-dogtag-20151005152014.66e7821-0.noarch pki-base-java-10.5.1-4.el7.noarch pki-tps-10.5.1-4.el7pki.x86_64 pki-core-debuginfo-10.5.1-4.el7pki.x86_64 pki-javadoc-10.5.1-1.el7.noarch pki-tests-CoreOS-dogtag-PKI_TEST_USER_ID-bbhavsar-1.0.8.RPM.IDENTIFIER-0.noarch pki-symkey-10.5.1-4.el7.x86_64 pki-tks-10.5.1-4.el7pki.noarch pki-tests-pki-tests-20150522165149.1561420-0.noarch pki-tools-10.5.1-4.el7.x86_64 pki-ocsp-10.5.1-4.el7pki.noarch pki-base-10.5.1-4.el7.noarch pki-kra-10.5.1-4.el7.noarch while testing for http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates get into https://bugzilla.redhat.com/show_bug.cgi?id=1520526. Please have a look.
Bug #1520526 has been fixed. Please retest when the build becomes available. Thanks.
Test Bits: ========= rpm -qa nss* pki-* jss* pki-tools-10.5.1-6.el7.x86_64 pki-ocsp-10.5.1-6.el7pki.noarch pki-javadoc-10.5.1-5.1.el7.noarch pki-base-10.5.1-6.el7.noarch pki-symkey-10.5.1-6.el7.x86_64 pki-server-10.5.1-6.el7.noarch pki-kra-10.5.1-6.el7.noarch pki-tks-10.5.1-6.el7pki.noarch pki-console-10.4.1-7.el7pki.noarch pki-core-debuginfo-10.5.1-5.1.el7pki.x86_64 jss-4.4.0-11.el7.x86_64 pki-base-java-10.5.1-6.el7.noarch pki-ca-10.5.1-6.el7.noarch pki-tps-10.5.1-6.el7pki.x86_64 Testing: ======== Test case 1: http://pki.fedoraproject.org/wiki/Installing_CA_with_External_CA_Signing_Certificate ------------------------------------------------------------------------------------------------- -- This is tested with HSM soft-token because thales HSM is failing because of https://bugzilla.redhat.com/show_bug.cgi?id=1535797 currently. Testing config's for ExternalCA with CMC is attached along with logs. After installation verification is done by signing a caUsercert. [root@csqa4-guest04 75_cfg_working]# pki -p 31080 -d /tmp/test -c SECret.123 -n "PKI CA Administrator" ca-cert-request-review 6 --action approve WARNING: UNTRUSTED ISSUER encountered on 'CN=csqa4-guest04.idm.lab.eng.rdu.redhat.com,OU=pki-ExternalCA-gkapoor00,O=idm.lab.eng.rdu.redhat.com Security Domain' indicates a non-trusted CA cert 'CN=CA Signing Certificate,OU=pki-ExternalCA-gkapoor00,O=idm.lab.eng.rdu.redhat.com Security Domain' Import CA certificate (Y/n)? Y CA server URI [http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca]: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:31080/ca ------------------------------ Approved certificate request 6 ------------------------------ Request ID: 6 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x6 pki -p 31080 -d /tmp/test -c SECret.123 -n "PKI CA Administrator" ca-user-find ----------------- 3 entries matched ----------------- User ID: CA-csqa4-guest04.idm.lab.eng.rdu.redhat.com-31443 Full name: CA-csqa4-guest04.idm.lab.eng.rdu.redhat.com-31443 User ID: caadmin Full name: caadmin User ID: pkidbuser Full name: pkidbuser ---------------------------- Number of entries returned 3 ---------------------------- Test Case 2:http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates ----------------------------------------------------------------------------------------- Currently it is failing during OCSP installation. https://bugzilla.redhat.com/show_bug.cgi?id=1540687 If i find sometime i will try to debug it more. Test Case 3: http://pki.fedoraproject.org/wiki/Installing_KRA_with_External_Certificates ---------------------------------------------------------------------------------------- Since this part was tested by Akshay I will let him update status on this.
Testing is done as mentioned above in comment 8 but there are few failures for which bugs have been raised.Without testing below, we can't consider testing complete for this feature. 1. https://bugzilla.redhat.com/show_bug.cgi?id=1540687 2. https://bugzilla.redhat.com/show_bug.cgi?id=1544843 KRA is tested based on CC setup instructions.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0925
The information has already provided.