1520526 – p12 admin certificate is missing when certificate is signed Externally

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1520526 - p12 admin certificate is missing when certificate is signed Externally

Summary: p12 admin certificate is missing when certificate is signed Externally

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Endi Sukma Dewata
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-12-04 16:07 UTC by Geetika Kapoor
Modified:	2020-10-04 21:38 UTC (History)
CC List:	3 users (show)
Fixed In Version:	pki-core-10.5.1-6.el7
Doc Type:	No Doc Update
Doc Text:	undefined
Clone Of:
Environment:
Last Closed:	2018-04-10 17:02:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Config-logs (50.06 KB, text/plain) 2017-12-04 19:35 UTC, Geetika Kapoor	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2992	0	None	None	None	2020-10-04 21:38:30 UTC
Red Hat Product Errata	RHBA-2018:0925	0	None	None	None	2018-04-10 17:03:37 UTC

Description Geetika Kapoor 2017-12-04 16:07:23 UTC

Description of problem:

When OCSP certificate signed using ExternalCA installation output looks like:


    ==========================================================================

      Administrator's username:             ocspadmin

      Administrator's certificate nickname:
            ocspadmin
      Administrator's certificate database:
            /root/.dogtag/pki-tomcat/ocsp/alias

      To check the status of the subsystem:
            systemctl status pki-tomcatd

      To restart the subsystem:
            systemctl restart pki-tomcatd

      The URL for the subsystem is:
            https://pki1.example.com:8443/ocsp

      PKI instances will be enabled upon system boot

    ==========================================================================

Which clearly shows admin(*12) cert is missing.


https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server
/deployment/scriptlets/configuration.py#L1172

the process_admin_cert() is supposed to generate the p12 file, but it's only executed in standalone cases right now

the case we're testing is external, so it didn't get executed.

Version-Release number of selected component (if applicable):

10.5

How reproducible:

always 

Steps to Reproduce:
1.Sign ocsp certificate in a 2 step process using http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates
2.
3.

Actual results:

ocsp p12 admin cert is not getting generated

Expected results:

ocsp p12 admin cert should get generated.

Additional info:

Comment 2 Geetika Kapoor 2017-12-04 19:35:16 UTC

Other Observations:
==================

1. Try to create p12 file using:

Get the ocsp.crt in base 64 format from EE page.

2. pki -v  -d /root/.dogtag/topology-OCSP-EX/ocsp/alias client-cert-import ocspadmin --cert ocsp.crt

Make sure ocspadmin cert has trust u,u,u.

certutil -L -d /root/.dogtag/topology-OCSP-EX/ocsp/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ocspadmin                                                    u,u,u

3. pk12util -d /root/.dogtag/topology-OCSP-EX/ocsp/alias -n ocspadmin -o ocsp.p12

Import the cert in a p12 format.

4. [root@pki1 test]# certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA Signing Certificate                                       CT,C,C
RootCA                                                       CT,C,C
caadmin                                                      u,u,u
ocspadmin                                                    u,u,u
[root@pki1 test]# pki -d . -p 31080 -n ocspadmin ocsp-user-find
PKIException: Unauthorized
[root@pki1 test]# pki -v  -d . -p 31080 -n ocspadmin ocsp-user-find
PKI options: -v -d .
PKI command: 31080 -p 31080 -n ocspadmin ocsp-user-find
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d . --verbose -p 31080 -n ocspadmin ocsp-user-find
Server URI: http://pki1.example.com:31080
Client security database: /root/test/.
Message format: null
Command: ocsp-user-find
Initializing security database
Module: ocsp
Initializing PKIClient
HTTP request: GET /pki/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:31080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Set-Cookie: JSESSIONID=37DF3C317171DAD1653548F0EB3E34EF; Path=/pki; HttpOnly
  Content-Type: application/xml
  Content-Length: 106
  Date: Mon, 04 Dec 2017 19:04:08 GMT
HTTP request: GET /ocsp/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:31080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Thu, 01 Jan 1970 05:30:00 IST
  Location: https://pki1.example.com:31443/ocsp/rest/account/login
  Content-Length: 0
  Date: Mon, 04 Dec 2017 19:04:08 GMT
HTTP redirect: https://pki1.example.com:31443/ocsp/rest/account/login
Client certificate: ocspadmin
HTTP request: GET /ocsp/rest/account/login HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:31443
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Server certificate: CN=pki1.example.com,OU=topology-OCSP-EX,O=EXAMPLE
HTTP response: HTTP/1.1 401 Unauthorized
  Server: Apache-Coyote/1.1
  Cache-Control: private
  Expires: Thu, 01 Jan 1970 05:30:00 IST
  WWW-Authenticate: Basic realm="Online Certificate Status Protocol Manager"
  Content-Type: text/html;charset=utf-8
  Content-Language: en
  Content-Length: 951
  Date: Mon, 04 Dec 2017 19:04:08 GMT
com.netscape.certsrv.base.PKIException: Unauthorized
	at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467)
	at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439)
	at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107)
	at com.netscape.certsrv.account.AccountClient.login(AccountClient.java:46)
	at com.netscape.certsrv.client.SubsystemClient.login(SubsystemClient.java:47)
	at com.netscape.cmstools.cli.SubsystemCLI.login(SubsystemCLI.java:46)
	at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:64)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:631)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:667)
ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '.', '--verbose', '-p', '31080', '-n', 'ocspadmin', 'ocsp-user-find']' returned non-zero exit status 255

Debug logs:
===========

[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: PKIRealm: Authenticating certificate chain:
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: PKIRealm.getAuditUserfromCert: certUID=CN=PKI Administrator, EMAILADDRESS=ocspadmin, OU=topology-OCSP-EX, O=EXAMPLE
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: PKIRealm:   CN=PKI Administrator, EMAILADDRESS=ocspadmin, OU=topology-OCSP-EX, O=EXAMPLE
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: CertUserDBAuth: started
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: CertUserDBAuth: Retrieving client certificate
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: CertUserDBAuth: Got client certificate
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: Authentication: client certificate found
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: In LdapBoundConnFactory::getConn()
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: masterConn is connected: true
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: getConn: conn is connected true
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: getConn: mNumConns now 2
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: returnConn: mNumConns now 3
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: CertUserDBAuthentication: cannot map certificate to any userUser not found
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: SignedAuditLogger: event AUTH
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED

Comment 3 Geetika Kapoor 2017-12-04 19:35:50 UTC

Created attachment 1362796 [details]
Config-logs

Comment 4 Geetika Kapoor 2017-12-04 19:45:03 UTC

Generally we see Subsystem certificates under CA(ou=people,o=topology-02-CA-CA) for various subsystems like:

DN: uid=OCSP-pki1.example.com-22443
 2;9;CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org;CN=Subsystem Certificate,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org

DN: uid=TKS-pki1.example.com-23443,ou=people,o=topology-02-CA-CA

2;19;CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org;CN=Subsystem Certificate,OU=topology-02-TKS,O=topology-02_Foobarmaster.org


With ExternalCA:
----------------

Couldn't find such entries for External OCSP.

Comment 6 Endi Sukma Dewata 2017-12-18 22:44:06 UTC

Fixed in master:
* f54b4a8d08be0dd81a3d98ae3ffc59cf6f350ca6

Fixed in upstream 10.5 branch:
* ffac807486d36e031c1afbcbb2b246536d4ae240

Test build (based on upstream 10.5 branch):
https://copr.devel.redhat.com/coprs/edewata/pki-10.5/build/16575/

Updated docs:
* http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates
* http://pki.fedoraproject.org/wiki/Installing_KRA_with_External_Certificates

Comment 8 Geetika Kapoor 2018-02-21 11:39:26 UTC

There is some delay in testing this because we faced some issues because of below two bugs.those are mandatory to test this bugzilla.This is tested in HSM + FIPS as it is a CC requirement.

1. 1535797
2. 1540687


Test Env:
========

# rpm -qa pki-*
pki-core-debuginfo-10.5.1-6.1.el7pki.x86_64
pki-base-10.5.1-9.el7.noarch
pki-ca-10.5.1-9.el7.noarch
pki-javadoc-10.5.1-6.1.el7.noarch
pki-tks-10.5.1-6.1.el7pki.noarch
pki-console-10.5.1-4.el7pki.noarch
pki-base-java-10.5.1-9.el7.noarch
pki-server-10.5.1-9.el7.noarch
pki-kra-10.5.1-9.el7.noarch
pki-tps-10.5.1-6.1.el7pki.x86_64
pki-ocsp-10.5.1-6.1.el7pki.noarch
pki-tools-10.5.1-9.el7.x86_64
pki-symkey-10.5.1-9.el7.x86_64

Test steps:
==========

1. generate csr using ocsp installation file.
2. Once the csr are generated for:

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      The OCSP subsystem of the 'gkapoor_RHCS75_externalocsp' instance is still incomplete.

      The CSRs for OCSP certificates have been generated in:
          OCSP signing:  ocsp_signing.csr
          subsystem:     subsystem.csr
          SSL server:    sslserver.csr
          audit signing: ocsp_audit_signing.csr
          admin:         ocsp_admin.csr

      Please obtain the necessary certificate(s) for this subsystem,
      and run installation step two.

    ==========================================================================

3. Submit the cmc request to externalCA for signing OCSP certificates.Attached are all files for external ocsp installation.
4. Run step2 installation. 
5. While running i have make sure that i have provided all pkcs7 certs in step 2 configuration file.

Installation :
============

    ==========================================================================
                                INSTALLATION SUMMARY
    ==========================================================================

      Administrator's username:             ocspadmin
      Administrator's PKCS #12 file:
            /root/.dogtag/gkapoor_RHCS75_externalocsp/ocsp_admin_cert.p12

      This OCSP subsystem of the 'gkapoor_RHCS75_externalocsp' instance
      has FIPS mode enabled on this operating system.

      REMINDER:  Don't forget to update the appropriate FIPS
                 algorithms in server.xml in the 'gkapoor_RHCS75_externalocsp' instance.

      To check the status of the subsystem:
            systemctl status pki-tomcatd

      To restart the subsystem:
            systemctl restart pki-tomcatd

      The URL for the subsystem is:
            https://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8443/ocsp

      PKI instances will be enabled upon system boot

    ==========================================================================

verification:
=============

[root@csqa4-guest04 external_ocsp]# pk12util -i /root/.dogtag/gkapoor_RHCS75_externalocsp/ocsp_admin_cert.p12 -d .
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL
[root@csqa4-guest04 external_ocsp]# pki -d . -n "PKI OCSP Administrator" -c SECret.123 ocsp-user-find
WARNING: UNTRUSTED ISSUER encountered on 'CN=csqa4-guest04.idm.lab.eng.rdu.redhat.com,OU=gkapoor_RHCS75_externalocsp,O=idm.lab.eng.rdu.redhat.com Security Domain' indicates a non-trusted CA cert 'CN=CA Signing Certificate,OU=gkapoor-ecc-exca0,O=idm.lab.eng.rdu.redhat.com Security Domain'
Import CA certificate (Y/n)? Y
CA server URI [http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:8080/ca]: http://csqa4-guest04.idm.lab.eng.rdu.redhat.com:23080/ca
-----------------
3 entries matched
-----------------
  User ID: ocspadmin
  Full name: ocspadmin

  User ID: pkidbuser
  Full name: pkidbuser

  User ID: CA-csqa4-guest04.idm.lab.eng.rdu.redhat.com-23443
  Full name: CA-csqa4-guest04.idm.lab.eng.rdu.redhat.com-23443
----------------------------
Number of entries returned 3
----------------------------

Comment 11 errata-xmlrpc 2018-04-10 17:02:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0925

Note You need to log in before you can comment on or make changes to this bug.