Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1464591

Summary: CC: need CMC enrollment profiles for system certificates
Product: Red Hat Enterprise Linux 7 Reporter: Christina Fu <cfu>
Component: pki-coreAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 7.4CC: edewata, gkapoor, mharmsen, msauton, pasik, pbokoc
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
https://bugzilla.redhat.com/show_bug.cgi?id=1518180#c7
 Story Points: ---
Clone Of:
: 1469446 1487278 (view as bug list) Environment:
Last Closed: 2018-04-10 16:58:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1404413, 1469446, 1518180    
Attachments:
Description Flags
First part patch to support non-TMS CMC-based installation none

Description Christina Fu 2017-06-23 20:50:56 UTC 
This is one of the areas that needs to be addressed from:
Bug 1464549 - CC: Installation: allow installation with existing system certificates 

The manual steps required to get system certificates would need CMC enrollment profiles for them.
Comment 2 Christina Fu 2017-07-04 01:43:40 UTC 
Created attachment 1294020 [details]
First part patch to support non-TMS CMC-based installation

This patch contains the following:
* The code in CMCAuth (agent-based) to check ssl client auth cert against the CMC signing cert
* The non-TMS system enrollment profiles: 
caCMCauditSigningCert.cfg
caCMCcaCert.cfg
caCMCkraStorageCert.cfg
caCMCkraTransportCert.cfg
caCMCocspCert.cfg
caCMCserverCert.cfg
caCMCsubsystemCert.cfg
* new URI's in web.xml as new access points

It should allow https://bugzilla.redhat.com/show_bug.cgi?id=1464549 to be tested against non-TMS CMC-based installation shall it become available.
Comment 3 Christina Fu 2017-07-07 00:41:11 UTC 
Comment on attachment 1294020 [details]
First part patch to support non-TMS CMC-based installation

slightly updated patch has been submitted to pkidevel for review.

Usage examples can be found here:
http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29
Comment 4 Christina Fu 2017-07-08 00:03:00 UTC 
pushed to Dogtag master:
https://pagure.io/dogtagpki/issue/2757#comment-447880
Comment 7 Geetika Kapoor 2018-01-31 11:27:31 UTC 
Trying to test this bugzilla with CC steup but stuck in 
 https://bugzilla.redhat.com/show_bug.cgi?id=1536938#c11
Comment 8 Geetika Kapoor 2018-02-14 08:18:22 UTC 
Test Steps:
==========

This is tested as mentioned in http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_%28RFC5272%29#Examples_.28System_Certificates.29.

How ever, when we try to use the signed certs for setting up :
1. SubCA -- https://bugzilla.redhat.com/show_bug.cgi?id=1520253
2. OCSP -- https://bugzilla.redhat.com/show_bug.cgi?id=1540687
3. ExternalCA ECC -- https://bugzilla.redhat.com/show_bug.cgi?id=1544843

There are some practical issues for which Bugzilla's have been raised for review.
All these bugs mentioned above are seen in HSM environment.
Comment 11 errata-xmlrpc 2018-04-10 16:58:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925