Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1562967 - [RFE] Reduce validity for SSL Certificates to less than 39 months
Summary: [RFE] Reduce validity for SSL Certificates to less than 39 months
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Installation
Version: 6.2.14
Hardware: All
OS: Linux
unspecified
high
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Devendra Singh
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-02 19:34 UTC by Hradayesh Shukla
Modified: 2023-10-06 17:45 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-03 16:30:44 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SAT-5017 0 None None None 2021-09-09 13:35:49 UTC

Description Hradayesh Shukla 2018-04-02 19:34:04 UTC 
1. Proposed title of this feature request:
[RFE] Reduce validity for SSL Certificates to less than 39 months


2. What is the nature and description of the request?
Reduce validity for SSL Certificates to less than 39 months. 

Starting 1 April 2015, Certification Authorities (CAs) are not permitted to issue SSL certificates (issued from a public root) with a validity period greater than 39 months. SSL/TLS certificate maximum validity is three years (39 months) for Domain Validated (DV) and Organization Validated (OV) Certificates. SSL certificates have limited validity periods so that the certificate's holder identity information is re-authenticated more frequently. 
When using Custom SSL Certificates, customer will have to replace the certificates each time he is upgrading the Satellite Server.  


3. Why does the customer need this? (List the business requirements here)
Starting 1 April 2015, Certification Authorities (CAs) are not permitted to issue SSL certificates (issued from a public root) with a validity period greater than 39 months. SSL/TLS certificate maximum validity is three years (39 months) for Domain Validated (DV) and Organization Validated (OV) Certificates. SSL certificates have limited validity periods so that the certificate's holder identity information is re-authenticated more frequently. 
 When using Custom SSL Certificates, customer will have to replace the certificates each time he is upgrading the Satellite Server.  

4. How would the customer like to achieve this? (List the functional requirements here)
-> Reduce the validity for SSL Certificates to less than 39 months. 
-> Not replace the certificates on each upgrade. 
 

5. For each functional requirement listed in question 5, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
-> Check functionality internally and then request the customer to do UAT. 
 
6. Is there already an existing RFE upstream or in Red Hat bugzilla?
No 

7. Does the customer have any specific timeline dependencies?
As soon as possible 

8. Is the sales team involved in this request and do they have any additional input?
No
 
9. List any affected packages or components.
Self signed SSL Certificates by Red Hat Satellite  

10. Would the customer be able to assist in testing this functionality if implemented?
Yes
Comment 2 Hradayesh Shukla 2018-04-02 19:36:26 UTC 
To add to the above, the ports which need these changes are:  

9090 (connection to the proxy in the capsule)
8443 (subscription-manager)
5000 (connection to katello for docker registry)
443  (Connections to Katello, Foreman, Foreman API, and Pulp)

Thanks,
Hradayesh Shukla
Red Hat - Technical Support
Comment 5 Eric Helms 2018-05-31 01:19:53 UTC 
The satellite-installer provides the ability to customize both the CA and generated certificates expiration periods through configuration values. Specifically:

  --certs-ca-expiration
  --certs-expiration

I would advise users to customize these to their needs but with caution. All Satellites, Capsules and Hosts would have to get updated certificates in place when a new CA is generated. In a large deployment, this can lead to a large churn across the footprint of Satellite, Capsules and Hosts. Please consider this in longer term infrastructure planning if changing these values.
Comment 15 Ewoud Kohl van Wijngaarden 2019-06-04 15:20:07 UTC 
The current CAB[1] requirement is:

  Subscriber Certificates issued after March 1, 2018 MUST have a Validity Period no greater than 825 days.

This is relevant when requesting a certificate from a public (commercial) Certificate Authority. However, it's unclear if browsers do anything with this when using a private CA as we do in Satellite. Given it's been over a year and we still default to 20 years, I think it's safe to assume we're not impacted.

In my experience CAs generally also ignore the days field in the CSR and force their own value. This is usually chosen somewhere in the order process where the CA customer pays for the certificate.

With that in mind, I'd suggest not adding any more documentation. Suggesting parameters that are later ignored may just introduce more confusion. If the default value is invalid, it should be changed it to a working default.

[1]: https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/
Comment 16 Melanie Corr 2019-06-04 15:24:54 UTC 
Hi Ewoud, 

Thanks very much for the clarification. 

With this information, I am going to close off this bug. 

Thanks,

Melanie
Comment 17 jheinze 2019-12-06 18:04:33 UTC 
It seems that with MacOS Catalina, certs with greater than 825 day expiration are getting flagged as revoked in Chrome:
Your connection is not private
Attackers might be trying to steal your information from my.satellite.server (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_REVOKED
Subject: my.satellite.server

Issuer: my.satellite.server

Expires on: Jan 17, 2038

Current date: Dec 4, 2019


https://support.apple.com/en-us/HT210176
"TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.

Published Date: November 03, 2019"


Maybe this bug should be reopened and the default certificate expiration should be addressed?
Comment 18 Sergei Petrosian 2019-12-23 13:55:07 UTC 
Hello jheinze,

The validity of a certificate is set by the certificate authority during signing the certificate. 
The information you provided is not related to Satellite specifically and is only applicable to deployments that use MacOS to navigate to Satellite web UI. Such low-level information is hard to maintain in our docs, therefore we expect such custom configuration to be sorted out by the CA that signs a certificate.

Thank you
Comment 19 Ewoud Kohl van Wijngaarden 2020-01-02 14:13:53 UTC 
It appears that since I wrote https://bugzilla.redhat.com/show_bug.cgi?id=1562967#c15 the difference is that MacOS started to apply the rules to custom CAs. Since the CA that signs these out of the box is managed by us, I think this may be good to address. Right now I'm reopening this against the installer so we can triage it.
Comment 20 Bryan Kearney 2020-01-15 21:01:19 UTC 
The Satellite Team is attempting to provide an accurate backlog of bugzilla requests which we feel will be resolved in the next few releases. We do not believe this bugzilla will meet that criteria, and have plans to close it out in 1 month. This is not a reflection on the validity of the request, but a reflection of the many priorities for the product. If you have any concerns about this, feel free to contact Red Hat Technical Support or your account team. If we do not hear from you, we will close this bug out. Thank you.
Comment 21 Bryan Kearney 2020-02-03 16:30:44 UTC 
Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support. Thank you.
Note You need to log in before you can comment on or make changes to this bug.