RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1520253 - Unable to Install SubCA using CMC
Summary: Unable to Install SubCA using CMC
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-12-04 06:48 UTC by Geetika Kapoor
Modified: 2020-10-04 21:38 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-18 02:51:35 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2990 0 None None None 2020-10-04 21:38:22 UTC

Description Geetika Kapoor 2017-12-04 06:48:21 UTC 
Description of problem:

Like in ExternalCA, we get certificate request created in step1 and then it's our choice if we get it signed using CMC or without CMC.
Now in SubCA, it is single step so how a subca can generate a csr
first and then signed it using CMC? Basically how to do
subca(http://pki.fedoraproject.org/wiki/Installing_Subordinate_CA) with
CMC in one step1.

Version-Release number of selected component (if applicable):

rpm -qa pki-ca
pki-ca-10.5.1-4.el7.noarch

How reproducible:

always 

Steps to Reproduce:
1.
2.
3.

Actual results:

Unable to install SubCA with CMC using procedure mentioned in http://pki.fedoraproject.org/wiki/Installing_Subordinate_CA

Expected results:

CMC should work with SubCA

Additional info:

Few observations if you wanted to include in documentation:*_


For Subca,in same SD as it's CA:
================================

Ex: RootCA --> SubCA

Subsystem Certificate is signed by it's signing CA.(RootCA).
Rest other certs are signed by SubCA itself.

_For Subca,in different SD as it's CA:_
========================================

All certificates are signed by the subca itself.SubCA Agent page:

0x1 	valid
CN=CA OCSP Signing Certificate,OU=topology-CA-EX-diffsub,O=EXAMPLE
<https://pki1.example.com:32443/ca/agent/ca/displayBySerial?op=disp
layBySerial&serialNumber=0x1>
0x2 	valid
CN=pki1.example.com,OU=topology-CA-EX-diffsub,O=EXAMPLE
<https://pki1.example.com:32443/ca/agent/ca/displayBySerial?op=disp
layBySerial&serialNumber=0x2>
0x3 	valid
CN=Subsystem Certificate,OU=topology-CA-EX-diffsub,O=EXAMPLE
<https://pki1.example.com:32443/ca/agent/ca/displayBySerial?op=disp
layBySerial&serialNumber=0x3>
0x4 	valid
CN=CA Audit Signing Certificate,OU=topology-CA-EX-diffsub,O=EXAMPLE
<https://pki1.example.com:32443/ca/agent/ca/displayBySerial?op=disp
layBySerial&serialNumber=0x4>
0x5 	valid
CN=PKI
Administrator,E=caadmin,OU=topology-CA-EX-
diffsub,O=EXAMPLE
<https://pki1.example.com:32443/ca/agent/ca/displayBySerial?op=disp
layBySerial&serialNumber=0x5>


Ex: RootCA --> SubCA

Subsystem Certificate is signed by SubCA itself.
And Rest other certs are also signed by SubCA itself.

_For External CA,_
====================

Ex: RootCA --> ExternalCA

Subsystem Certificate and other certs are signed by ExternalCA
Comment 2 Matthew Harmsen 2017-12-08 01:40:13 UTC 
After discussion in the PKI Team Meeting of 20171207, it was determined that this could be delayed until RHEL 7.6.
Comment 3 Christina Fu 2018-04-17 18:39:15 UTC 
I believe the new instruction for all CMC installation is two steps (two-step for root ca, and external-ca for subca and other subsystems).
This makes this bug moot.
Comment 4 Matthew Harmsen 2018-04-18 02:51:35 UTC 
 Per RHEL 7.5.z/7.6/8.0 Triage:

CLOSING WONTFIX
Comment 5 Geetika Kapoor 2018-04-19 14:36:48 UTC 
Hi Christina,

Is it okay to document somewhere that we are no more supporting subca for CMC like we used to support as mentioned in document: http://www.dogtagpki.org/wiki/Installing_Subordinate_CA
In subca we use pki_subordinate=true because Document : http://jenkinscat.gsslab.pnq.redhat.com:8080/view/Certificate%20System/job/doc-Red_Hat_Certificate_System-Planning_Installation_and_Deployment_Guide%20%28html-single%29/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#two-step-installation talks about subordinate CA.

thanks
Comment 6 Christina Fu 2018-04-19 16:48:21 UTC 
Geetika, I'm not familiar with pki_subordinate.. I actually don't see it mentioned in the current admins' guide that Marc has.

I may have misunderstood this bug, but I thought you were saying that the one-step doesn't work.  We do not ask people to install anything using cmc in one step.
My understanding is that we DO support installation subCA using CMC, just that you need to go through the externalCA procedure documented here:
http://jenkinscat.gsslab.pnq.redhat.com:8080/view/Certificate%20System/job/doc-Red_Hat_Certificate_System-Planning_Installation_and_Deployment_Guide%20%28html-single%29/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#setting_up_subsystems_with_an_external_ca

Please take a look and see if the documention makes sense.  Regarding to pki_subordinate, you should consult Endi.
Note You need to log in before you can comment on or make changes to this bug.