Bug 1464591 - CC: need CMC enrollment profiles for system certificates
CC: need CMC enrollment profiles for system certificates
Status: VERIFIED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.4
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Christina Fu
Asha Akkiangady
Marc Muehlfeld
: ZStream
Depends On:
Blocks: 1518180 1404413 1469446
  Show dependency treegraph
 
Reported: 2017-06-23 16:50 EDT by Christina Fu
Modified: 2018-02-14 13:57 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Certificate System now supports CMC-based system certificate requests This update adds support for Certificate Management over CMS (CMC)-based system certificate requests, and adds the following new CMC-based system enrollment profiles: * `caCMCauditSigningCert.cfg` * `caCMCcaCert.cfg` * `caCMCkraStorageCert.cfg` * `caCMCkraTransportCert.cfg` * `caCMCocspCert.cfg` * `caCMCserverCert.cfg` * `caCMCsubsystemCert.cfg`
Story Points: ---
Clone Of:
: 1469446 1487278 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
First part patch to support non-TMS CMC-based installation (66.88 KB, patch)
2017-07-03 21:43 EDT, Christina Fu
no flags Details | Diff

  None (edit)
Description Christina Fu 2017-06-23 16:50:56 EDT
This is one of the areas that needs to be addressed from:
Bug 1464549 - CC: Installation: allow installation with existing system certificates 

The manual steps required to get system certificates would need CMC enrollment profiles for them.
Comment 2 Christina Fu 2017-07-03 21:43 EDT
Created attachment 1294020 [details]
First part patch to support non-TMS CMC-based installation

This patch contains the following:
* The code in CMCAuth (agent-based) to check ssl client auth cert against the CMC signing cert
* The non-TMS system enrollment profiles: 
caCMCauditSigningCert.cfg
caCMCcaCert.cfg
caCMCkraStorageCert.cfg
caCMCkraTransportCert.cfg
caCMCocspCert.cfg
caCMCserverCert.cfg
caCMCsubsystemCert.cfg
* new URI's in web.xml as new access points

It should allow https://bugzilla.redhat.com/show_bug.cgi?id=1464549 to be tested against non-TMS CMC-based installation shall it become available.
Comment 3 Christina Fu 2017-07-06 20:41:11 EDT
Comment on attachment 1294020 [details]
First part patch to support non-TMS CMC-based installation

slightly updated patch has been submitted to pkidevel for review.

Usage examples can be found here:
http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29
Comment 4 Christina Fu 2017-07-07 20:03:00 EDT
pushed to Dogtag master:
https://pagure.io/dogtagpki/issue/2757#comment-447880
Comment 7 Geetika Kapoor 2018-01-31 06:27:31 EST
Trying to test this bugzilla with CC steup but stuck in 
 https://bugzilla.redhat.com/show_bug.cgi?id=1536938#c11
Comment 8 Geetika Kapoor 2018-02-14 03:18:22 EST
Test Steps:
==========

This is tested as mentioned in http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_%28RFC5272%29#Examples_.28System_Certificates.29.

How ever, when we try to use the signed certs for setting up :
1. SubCA -- https://bugzilla.redhat.com/show_bug.cgi?id=1520253
2. OCSP -- https://bugzilla.redhat.com/show_bug.cgi?id=1540687
3. ExternalCA ECC -- https://bugzilla.redhat.com/show_bug.cgi?id=1544843

There are some practical issues for which Bugzilla's have been raised for review.
All these bugs mentioned above are seen in HSM environment.

Note You need to log in before you can comment on or make changes to this bug.