Bug 1550742 - Address ECC profile overrides
Summary: Address ECC profile overrides
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.6
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Christina Fu
QA Contact: Asha Akkiangady
Marc Muehlfeld
Depends On:
Blocks: 1547802 1596525
TreeView+ depends on / blocked
Reported: 2018-03-01 23:38 UTC by Christina Fu
Modified: 2020-10-04 21:42 UTC (History)
5 users (show)

Fixed In Version: pki-core-10.5.9-2.el7
Doc Type: Enhancement
Doc Text:
Certificate System automatically applies ECC profiles when setting up root CA with ECC certificates This update enhances Certificate System to automatically apply ECC profiles when setting up a new root CA with ECC profiles using the *pkispawn* utility. As a result, administrators no longer have to set the profile overwrite parameters for ECC certificates as a workaround in the configuration file passed to *pkispawn* when setting up a root CA.
Clone Of:
: 1596525 (view as bug list)
Last Closed: 2018-10-30 11:05:27 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 3069 0 None None None 2020-10-04 21:41:52 UTC
Github dogtagpki pki issues 3077 0 None None None 2020-10-04 21:42:09 UTC
Red Hat Product Errata RHBA-2018:3195 0 None None None 2018-10-30 11:06:49 UTC

Description Christina Fu 2018-03-01 23:38:36 UTC
Description of problem:
During installation, pkispawn should distinguish RSA form ECC and point them to the respective set of enrollment profiles.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 3 Matthew Harmsen 2018-03-14 16:39:50 UTC
This bug is meant to address the workaround documented at the following URL:

* http://pki.fedoraproject.org/wiki/PKI_10.5_Pkispawn_ECC_Profile_Workaround

Comment 4 Matthew Harmsen 2018-05-04 22:50:13 UTC
 Per RHEL 7.5.z/7.6/8.0 Triage:  7.5.z

Comment 5 Christina Fu 2018-06-28 16:18:47 UTC

commit 9a8e54ab9a8f1192c240639c42f8a744160a8ef8 (HEAD -> master, origin/master, origin/HEAD, ticket-2959-pkispawn-EC-profiles-master)
Author: Christina Fu <cfu@redhat.com>
Date:   Wed Jun 27 15:04:57 2018 -0700

    Ticket #2959 Address pkispawn ECC profile overrides
    This patch enables proper ECC profiles to be automatically applied during
    This patch would eliminate the need for the workaround documented here:
    The idea is to use the % replacement strings as part of the profile names
    in the default.cfg file for pkispawn,
    and change the profile names to mach the format. So for example:
    would either be translated to rsaAdminCert.profile or eccAdminCert.profile
    depending  on the value in pki_admin_key_type
    fixes https://pagure.io/dogtagpki/issue/2959

Comment 8 Amol K 2018-08-14 05:57:50 UTC
I tested this Bugzilla on 10.5.9-4.el7 version.

I tried it without a workaround. During the pkispawn it distinguishes between the RSA and EC profiles. 

After the successful installation, I'm able to see the admin, subsystem and Server certificate is generated as per the admin key type.

This Bugzilla working as expected.

Verifying this Bugzilla.

Comment 10 errata-xmlrpc 2018-10-30 11:05:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.