Bug 1464549 - CC: Installation with CMC
CC: Installation with CMC
Status: ON_QA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: RHCS Maintainers
Asha Akkiangady
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-23 14:08 EDT by Christina Fu
Modified: 2017-11-02 21:20 EDT (History)
4 users (show)

See Also:
Fixed In Version: pki-core-10.5.1-1.el7
Doc Type: Enhancement
Doc Text:
This enhancement provides a mechanism to install CA, KRA, or OCSP subsystem with CMC. The installation will be done in two steps. The first step of the installation will generate the CSRs for the system certificates. The CSRs can be used to issue the system certificates using CMC. Then the second step of the installation will take these system certificates and complete the subsystem installation.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Christina Fu 2017-06-23 14:08:46 EDT
This came out of the PP requirement: FIA_CMC_EXT.1.3

Basically, when a subordinate CA acts as a client to its superior CA, the cert requests and responses should be carried in CMC format and protocol.

Since retrofitting CMC into the existing installation system is not feasibly as installation is a "one-time-thing" that doesn't happen often, our plan is to give some manual CC setup steps with assistance of some code changes:

* for sub-ca's, just give instruction on manual cmc request generation and submission to the superior ca, and then use the "existing CA" feature to install
* for non-ca subsystems, such as KRA, OCSP, TPS, and TKS, we need some (possibly not a lot) changes to allow pre-existing system certificates to be used.  We add instruction on manual cmc request generation and submission to the ca before directing people to use this new "existing all subsystems" feature.

For the above, there is already a ticket:
https://pagure.io/dogtagpki/issue/2280

Another area needs to be covered is a set of system certificate profiles for CMC requests to complete the above strategy.
Comment 2 Christina Fu 2017-07-07 20:06:42 EDT
note that the cmc system cert enrollment profiles have been pushed to Dogtag master.
See Usage info here:
http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29

Note You need to log in before you can comment on or make changes to this bug.