Bug 1549632 - Not able to generate certificate request with ECC using pki client-cert-request
Summary: Not able to generate certificate request with ECC using pki client-cert-request
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.5
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Amol K
QA Contact: Asha Akkiangady
Marc Muehlfeld
Depends On:
Blocks: 1558919
TreeView+ depends on / blocked
Reported: 2018-02-27 14:24 UTC by Amol K
Modified: 2020-10-04 21:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The *client-cert-request* utility no longer fails to create CSRs for ECC certificates Previously, the *generatePkcs10Request* method in the Certificate System's *client-cert-request* utility failed to map the curve and length parameters. Consequently, the utility failed to create certificate signing requests (CSR) for Elliptic Curve Cryptography (ECC) certificates. The problem has been fixed. As a result, using *client-cert-request* for creating CSRs for ECC certificates works as expected.
Clone Of:
: 1558919 (view as bug list)
Last Closed: 2018-10-30 11:05:27 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 3093 0 None None None 2020-10-04 21:42:21 UTC
Red Hat Product Errata RHBA-2018:3195 0 None None None 2018-10-30 11:06:49 UTC

Description Amol K 2018-02-27 14:24:02 UTC
Description of problem:

pki client-cert-request is not able to generate ECC certificate request.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. pki -d /opt/pki/certdb/ -c SECret.123 -p 20080 -v client-cert-request --algorithm ecc --curve nistp256  "UID=ecc_user3,CN=ECC User3" 

Actual results:
Server URI: http://pki1.example.com:20080
Client security database: /opt/pki/certdb
Message format: null
Command: client-cert-request --algorithm ecc --curve nistp256 "UID=ecc_user3,CN=ECC User3"
Module: client
Module: cert-request
External command: /usr/bin/PKCS10Client -d /opt/pki/certdb -p SECret.123 -a ecc -l 1024 -o /opt/pki/certdb/pki-client-cert-request-6623069256481018602.csr -n "UID=ecc_user3,CN=ECC User3"
java.lang.Exception: CSR generation failed
	at com.netscape.cmstools.client.ClientCertRequestCLI.generatePkcs10Request(ClientCertRequestCLI.java:408)
	at com.netscape.cmstools.client.ClientCertRequestCLI.execute(ClientCertRequestCLI.java:256)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:633)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:669)
Caused by: com.netscape.cmstools.cli.CLIException: External command failed. RC: 1
	at com.netscape.cmstools.cli.CLI.runExternal(CLI.java:386)
	at com.netscape.cmstools.client.ClientCertRequestCLI.generatePkcs10Request(ClientCertRequestCLI.java:406)

Expected results:
ECC CSR should be generated

Additional info:

Comment 5 Matthew Harmsen 2018-03-22 21:03:30 UTC
commit 15911c8e65eb1543776a64f567ca3e281091e750 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH, gerrit/DOGTAG_10_5_BRANCH)
Author: Amol Kahat <akahat@redhat.com>
Date:   Tue Feb 27 19:56:31 2018 +0530

    Fixed BZ 1549632: Not able to generate certificate request
    with ECC using pki client-cert-request
    Change-Id: I23a51af2c9e9bcc62983332bee22fe3c56ce1409
    Signed-off-by: Amol Kahat <akahat@redhat.com>
    (cherry picked from commit 69434ec08442b92cab8c304caef98200ff71e8e2)

Comment 6 Amol K 2018-03-26 06:43:39 UTC
Testing Instructions: https://bugzilla.redhat.com/show_bug.cgi?id=1558919#c3

Comment 7 Matthew Harmsen 2018-04-25 00:34:22 UTC
Marking MODIFIED; inherited from 7.5.z

Comment 11 Amol K 2018-08-13 11:50:49 UTC
I tested this BZ on 10.5.9-5.el7 version.

I'm able to submit the certificate request with algo 'ec' and curve nistp256.
 pki -d /opt/pki/certdb/ -c SECret.123 -p 20080 -v client-cert-request --algorithm ec --curve nistp256  "UID=ecc_user3,CN=ECC User3" 

Submitted certificate request
  Request ID: 47
  Type: enrollment
  Request Status: pending
  Operation Result: success


Verifying this Bugzilla.

Comment 13 errata-xmlrpc 2018-10-30 11:05:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.