1464591 – CC: need CMC enrollment profiles for system certificates

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1464591 - CC: need CMC enrollment profiles for system certificates

Summary: CC: need CMC enrollment profiles for system certificates

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Christina Fu
QA Contact:	Asha Akkiangady
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:	1404413 1469446 1518180
TreeView+	depends on / blocked

Reported:	2017-06-23 20:50 UTC by Christina Fu
Modified:	2020-10-04 21:33 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:	https://bugzilla.redhat.com/show_bug.cgi?id=1518180#c7
Clone Of:
Clones:	1469446 1487278 (view as bug list)
Environment:
Last Closed:	2018-04-10 16:58:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
First part patch to support non-TMS CMC-based installation (66.88 KB, patch) 2017-07-04 01:43 UTC, Christina Fu	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2877	0	None	None	None	2020-10-04 21:33:36 UTC
Red Hat Product Errata	RHBA-2018:0925	0	None	None	None	2018-04-10 16:59:35 UTC

Description Christina Fu 2017-06-23 20:50:56 UTC

This is one of the areas that needs to be addressed from:
Bug 1464549 - CC: Installation: allow installation with existing system certificates 

The manual steps required to get system certificates would need CMC enrollment profiles for them.

Comment 2 Christina Fu 2017-07-04 01:43:40 UTC

Created attachment 1294020 [details]
First part patch to support non-TMS CMC-based installation

This patch contains the following:
* The code in CMCAuth (agent-based) to check ssl client auth cert against the CMC signing cert
* The non-TMS system enrollment profiles: 
caCMCauditSigningCert.cfg
caCMCcaCert.cfg
caCMCkraStorageCert.cfg
caCMCkraTransportCert.cfg
caCMCocspCert.cfg
caCMCserverCert.cfg
caCMCsubsystemCert.cfg
* new URI's in web.xml as new access points

It should allow https://bugzilla.redhat.com/show_bug.cgi?id=1464549 to be tested against non-TMS CMC-based installation shall it become available.

Comment 3 Christina Fu 2017-07-07 00:41:11 UTC

Comment on attachment 1294020 [details]
First part patch to support non-TMS CMC-based installation

slightly updated patch has been submitted to pkidevel for review.

Usage examples can be found here:
http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29

Comment 4 Christina Fu 2017-07-08 00:03:00 UTC

pushed to Dogtag master:
https://pagure.io/dogtagpki/issue/2757#comment-447880

Comment 7 Geetika Kapoor 2018-01-31 11:27:31 UTC

Trying to test this bugzilla with CC steup but stuck in 
 https://bugzilla.redhat.com/show_bug.cgi?id=1536938#c11

Comment 8 Geetika Kapoor 2018-02-14 08:18:22 UTC

Test Steps:
==========

This is tested as mentioned in http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_%28RFC5272%29#Examples_.28System_Certificates.29.

How ever, when we try to use the signed certs for setting up :
1. SubCA -- https://bugzilla.redhat.com/show_bug.cgi?id=1520253
2. OCSP -- https://bugzilla.redhat.com/show_bug.cgi?id=1540687
3. ExternalCA ECC -- https://bugzilla.redhat.com/show_bug.cgi?id=1544843

There are some practical issues for which Bugzilla's have been raised for review.
All these bugs mentioned above are seen in HSM environment.

Comment 11 errata-xmlrpc 2018-04-10 16:58:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925

Note You need to log in before you can comment on or make changes to this bug.