Bug 1563685 - ipa-server-install can not change default CA signing algorithm with option `--ca-signing-algorithm`.
Summary: ipa-server-install can not change default CA signing algorithm with option `-...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.5
Hardware: All
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-04 12:54 UTC by Gaurav Swami
Modified: 2018-07-10 05:50 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-10 05:50:57 UTC
Target Upstream Version:


Attachments (Terms of Use)
IPA server install logs. (3.99 MB, text/plain)
2018-04-04 12:54 UTC, Gaurav Swami
no flags Details

Description Gaurav Swami 2018-04-04 12:54:46 UTC
Created attachment 1417260 [details]
IPA server install logs.

Description of problem:

IPA currently uses the sha256WithRSAEncryption signature algorithm by default.

ipa-server-install can not change default CA signing algorithm with option `--ca-signing-algorithm`.

Version-Release number of selected component (if applicable):

RHEL 7.5 beta 
ipa-server-4.5.4-7.el7.x86_64


How reproducible:

Install IPA server as below ,

# ipa-server-install --ca-signing-algorithm=SHA512withRSA



Actual results:

--------
[root@vm252-174 ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n 'ocspSigningCert cert-pki-ca'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=GSSLAB.PNQ2.REDHAT.COM"
        Validity:
            Not Before: Mon Apr 03 12:05:38 2017
            Not After : Sun Mar 24 12:05:38 2019
        Subject: "CN=OCSP Subsystem,O=GSSLAB.PNQ2.REDHAT.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    c1:29:89:5e:e7:a6:62:12:26:61:55:10:f8:3d:d1:86:
                    f7:9c:56:74:87:67:d3:ff:5e:8e:ec:bc:70:21:95:e1:
                    5a:d8:af:e5:71:be:85:b5:b6:58:59:cf:b5:76:d3:43:
                    23:88:45:cb:68:3c:58:25:3b:66:33:03:8f:45:df:bb:
                    7f:cc:1c:b7:b8:9d:46:7d:a1:89:7c:71:31:d7:f9:26:
                    df:bb:2c:b1:67:93:20:75:ba:df:63:1e:3e:97:2b:16:
                    4f:c5:24:c7:17:d7:b9:cd:99:57:c8:26:9e:37:c0:92:
                    f9:0b:36:c2:1d:67:9b:49:9b:54:9c:11:6c:12:ea:62:
                    36:4e:a9:12:b5:c2:8b:d1:82:3b:6f:16:90:f7:8a:1d:
                    16:77:86:99:34:a5:f4:00:66:f7:8b:ac:b6:ef:af:6a:
                    8c:dd:32:5a:37:31:f3:4a:a1:bc:bd:9e:b7:33:f0:40:
                    de:0b:e9:69:51:ee:d7:2b:2f:96:eb:20:11:18:ba:59:
                    08:c2:bd:c2:ac:76:37:d5:46:b9:e6:4f:a3:3c:ce:17:
                    9c:54:f9:2d:7a:71:43:0b:a5:0f:15:fb:3b:16:be:15:
                    6d:da:f3:ae:68:74:34:90:e4:6e:0e:2a:bf:95:45:f6:
                    80:de:0c:93:3a:32:6b:63:6d:16:e1:bf:93:88:2b:57
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                36:08:17:21:85:78:f3:9a:01:84:2c:bd:57:9d:a2:7c:
                1b:f8:2a:23

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://ipa-ca.gsslab.pnq2.redhat.com/ca/ocsp"

            Name: Extended Key Usage
                OCSP Responder Certificate

            Name: OCSP No Check Extension
            Data: NULL

    Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
    Signature:
        e8:c7:e3:56:f4:40:11:e1:7c:88:49:2b:e3:b6:13:23:
        0e:77:ee:3a:ea:ae:8f:3c:ea:02:12:71:f6:62:70:28:
        34:b7:c1:08:11:f7:6e:2d:85:14:64:8d:31:06:16:8e:
        c0:1b:4f:0f:c4:76:90:b1:9f:65:e0:59:8e:d6:a8:7f:
        08:88:dd:33:f7:bb:c5:6c:27:15:9e:bb:87:66:eb:ae:
        03:b7:4b:3b:fc:95:ae:d1:fb:4e:81:90:78:13:58:4f:
        30:30:16:47:26:81:17:20:ee:26:58:4c:5d:b1:d1:82:
        25:2c:b6:72:74:e6:80:ac:bc:bf:25:4f:e2:e0:f2:ec:
        91:0f:5b:4e:6a:08:d9:5c:2c:b6:b9:54:b8:35:f7:8e:
        9f:c0:28:fa:d2:25:2a:c7:d1:6d:18:13:5c:94:30:6f:
        a5:ea:6c:07:95:a1:da:1b:c1:40:20:d9:08:4c:93:8b:
        51:75:72:69:32:c6:f8:40:c1:5a:5b:40:b3:5f:23:eb:
        af:a9:c8:80:f0:db:93:7e:5a:0f:ce:d6:5e:3f:53:ed:
        00:c1:b7:12:18:c3:1f:f5:bb:e3:2a:c7:11:37:00:9a:
        51:57:b0:89:39:e2:55:43:8d:c8:62:c5:83:2d:58:cd:
        10:7e:6b:50:c2:0f:d1:57:ce:7a:b9:db:38:b1:76:60
    Fingerprint (SHA-512):
        1F:4F:E1:00:E2:1A:23:1D:83:59:39:25:82:F7:4E:A9:EE:BA:2B:F3:19:99:41:1B:CC:C7:06:B2:6B:9E:35:EE
    Fingerprint (SHA1):
        45:4C:04:56:B4:04:74:AD:A7:A6:B1:89:DB:A2:16:01:0B:D1:53:20

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

[root@vm252-174 ~]# 
----------


Expected results:

--------
[root@vm252-174 ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n 'ocspSigningCert cert-pki-ca'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=GSSLAB.PNQ2.REDHAT.COM"
        Validity:
            Not Before: Mon Apr 03 12:05:38 2017
            Not After : Sun Mar 24 12:05:38 2019
        Subject: "CN=OCSP Subsystem,O=GSSLAB.PNQ2.REDHAT.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    c1:29:89:5e:e7:a6:62:12:26:61:55:10:f8:3d:d1:86:
                    f7:9c:56:74:87:67:d3:ff:5e:8e:ec:bc:70:21:95:e1:
                    5a:d8:af:e5:71:be:85:b5:b6:58:59:cf:b5:76:d3:43:
                    23:88:45:cb:68:3c:58:25:3b:66:33:03:8f:45:df:bb:
                    7f:cc:1c:b7:b8:9d:46:7d:a1:89:7c:71:31:d7:f9:26:
                    df:bb:2c:b1:67:93:20:75:ba:df:63:1e:3e:97:2b:16:
                    4f:c5:24:c7:17:d7:b9:cd:99:57:c8:26:9e:37:c0:92:
                    f9:0b:36:c2:1d:67:9b:49:9b:54:9c:11:6c:12:ea:62:
                    36:4e:a9:12:b5:c2:8b:d1:82:3b:6f:16:90:f7:8a:1d:
                    16:77:86:99:34:a5:f4:00:66:f7:8b:ac:b6:ef:af:6a:
                    8c:dd:32:5a:37:31:f3:4a:a1:bc:bd:9e:b7:33:f0:40:
                    de:0b:e9:69:51:ee:d7:2b:2f:96:eb:20:11:18:ba:59:
                    08:c2:bd:c2:ac:76:37:d5:46:b9:e6:4f:a3:3c:ce:17:
                    9c:54:f9:2d:7a:71:43:0b:a5:0f:15:fb:3b:16:be:15:
                    6d:da:f3:ae:68:74:34:90:e4:6e:0e:2a:bf:95:45:f6:
                    80:de:0c:93:3a:32:6b:63:6d:16:e1:bf:93:88:2b:57
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                36:08:17:21:85:78:f3:9a:01:84:2c:bd:57:9d:a2:7c:
                1b:f8:2a:23

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://ipa-ca.gsslab.pnq2.redhat.com/ca/ocsp"

            Name: Extended Key Usage
                OCSP Responder Certificate

            Name: OCSP No Check Extension
            Data: NULL

    Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
    Signature:
        e8:c7:e3:56:f4:40:11:e1:7c:88:49:2b:e3:b6:13:23:
        0e:77:ee:3a:ea:ae:8f:3c:ea:02:12:71:f6:62:70:28:
        34:b7:c1:08:11:f7:6e:2d:85:14:64:8d:31:06:16:8e:
        c0:1b:4f:0f:c4:76:90:b1:9f:65:e0:59:8e:d6:a8:7f:
        08:88:dd:33:f7:bb:c5:6c:27:15:9e:bb:87:66:eb:ae:
        03:b7:4b:3b:fc:95:ae:d1:fb:4e:81:90:78:13:58:4f:
        30:30:16:47:26:81:17:20:ee:26:58:4c:5d:b1:d1:82:
        25:2c:b6:72:74:e6:80:ac:bc:bf:25:4f:e2:e0:f2:ec:
        91:0f:5b:4e:6a:08:d9:5c:2c:b6:b9:54:b8:35:f7:8e:
        9f:c0:28:fa:d2:25:2a:c7:d1:6d:18:13:5c:94:30:6f:
        a5:ea:6c:07:95:a1:da:1b:c1:40:20:d9:08:4c:93:8b:
        51:75:72:69:32:c6:f8:40:c1:5a:5b:40:b3:5f:23:eb:
        af:a9:c8:80:f0:db:93:7e:5a:0f:ce:d6:5e:3f:53:ed:
        00:c1:b7:12:18:c3:1f:f5:bb:e3:2a:c7:11:37:00:9a:
        51:57:b0:89:39:e2:55:43:8d:c8:62:c5:83:2d:58:cd:
        10:7e:6b:50:c2:0f:d1:57:ce:7a:b9:db:38:b1:76:60
    Fingerprint (SHA-512):
        1F:4F:E1:00:E2:1A:23:1D:83:59:39:25:82:F7:4E:A9:EE:BA:2B:F3:19:99:41:1B:CC:C7:06:B2:6B:9E:35:EE
    Fingerprint (SHA1):
        45:4C:04:56:B4:04:74:AD:A7:A6:B1:89:DB:A2:16:01:0B:D1:53:20

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

[root@vm252-174 ~]# 
----------


Additional info:

ipaserver-install.log attached.

Comment 2 Rob Crittenden 2018-04-04 13:17:45 UTC
The actual and expected certs are identical and both are using SHA-512.

Comment 3 Gaurav Swami 2018-04-04 13:46:02 UTC
Sorry for the mistake.


--------
[root@vm252-174 ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n 'ocspSigningCert cert-pki-ca'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=GSSLAB.PNQ2.REDHAT.COM"
        Validity:
            Not Before: Mon Apr 03 12:05:38 2017
            Not After : Sun Mar 24 12:05:38 2019
        Subject: "CN=OCSP Subsystem,O=GSSLAB.PNQ2.REDHAT.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    c1:29:89:5e:e7:a6:62:12:26:61:55:10:f8:3d:d1:86:
                    f7:9c:56:74:87:67:d3:ff:5e:8e:ec:bc:70:21:95:e1:
                    5a:d8:af:e5:71:be:85:b5:b6:58:59:cf:b5:76:d3:43:
                    23:88:45:cb:68:3c:58:25:3b:66:33:03:8f:45:df:bb:
                    7f:cc:1c:b7:b8:9d:46:7d:a1:89:7c:71:31:d7:f9:26:
                    df:bb:2c:b1:67:93:20:75:ba:df:63:1e:3e:97:2b:16:
                    4f:c5:24:c7:17:d7:b9:cd:99:57:c8:26:9e:37:c0:92:
                    f9:0b:36:c2:1d:67:9b:49:9b:54:9c:11:6c:12:ea:62:
                    36:4e:a9:12:b5:c2:8b:d1:82:3b:6f:16:90:f7:8a:1d:
                    16:77:86:99:34:a5:f4:00:66:f7:8b:ac:b6:ef:af:6a:
                    8c:dd:32:5a:37:31:f3:4a:a1:bc:bd:9e:b7:33:f0:40:
                    de:0b:e9:69:51:ee:d7:2b:2f:96:eb:20:11:18:ba:59:
                    08:c2:bd:c2:ac:76:37:d5:46:b9:e6:4f:a3:3c:ce:17:
                    9c:54:f9:2d:7a:71:43:0b:a5:0f:15:fb:3b:16:be:15:
                    6d:da:f3:ae:68:74:34:90:e4:6e:0e:2a:bf:95:45:f6:
                    80:de:0c:93:3a:32:6b:63:6d:16:e1:bf:93:88:2b:57
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                36:08:17:21:85:78:f3:9a:01:84:2c:bd:57:9d:a2:7c:
                1b:f8:2a:23

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://ipa-ca.gsslab.pnq2.redhat.com/ca/ocsp"

            Name: Extended Key Usage
                OCSP Responder Certificate

            Name: OCSP No Check Extension
            Data: NULL

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        e8:c7:e3:56:f4:40:11:e1:7c:88:49:2b:e3:b6:13:23:
        0e:77:ee:3a:ea:ae:8f:3c:ea:02:12:71:f6:62:70:28:
        34:b7:c1:08:11:f7:6e:2d:85:14:64:8d:31:06:16:8e:
        c0:1b:4f:0f:c4:76:90:b1:9f:65:e0:59:8e:d6:a8:7f:
        08:88:dd:33:f7:bb:c5:6c:27:15:9e:bb:87:66:eb:ae:
        03:b7:4b:3b:fc:95:ae:d1:fb:4e:81:90:78:13:58:4f:
        30:30:16:47:26:81:17:20:ee:26:58:4c:5d:b1:d1:82:
        25:2c:b6:72:74:e6:80:ac:bc:bf:25:4f:e2:e0:f2:ec:
        91:0f:5b:4e:6a:08:d9:5c:2c:b6:b9:54:b8:35:f7:8e:
        9f:c0:28:fa:d2:25:2a:c7:d1:6d:18:13:5c:94:30:6f:
        a5:ea:6c:07:95:a1:da:1b:c1:40:20:d9:08:4c:93:8b:
        51:75:72:69:32:c6:f8:40:c1:5a:5b:40:b3:5f:23:eb:
        af:a9:c8:80:f0:db:93:7e:5a:0f:ce:d6:5e:3f:53:ed:
        00:c1:b7:12:18:c3:1f:f5:bb:e3:2a:c7:11:37:00:9a:
        51:57:b0:89:39:e2:55:43:8d:c8:62:c5:83:2d:58:cd:
        10:7e:6b:50:c2:0f:d1:57:ce:7a:b9:db:38:b1:76:60
    Fingerprint (SHA-256):
        1F:4F:E1:00:E2:1A:23:1D:83:59:39:25:82:F7:4E:A9:EE:BA:2B:F3:19:99:41:1B:CC:C7:06:B2:6B:9E:35:EE
    Fingerprint (SHA1):
        45:4C:04:56:B4:04:74:AD:A7:A6:B1:89:DB:A2:16:01:0B:D1:53:20

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

[root@vm252-174 ~]# 

----------


Expected results:

--------
[root@vm252-174 ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n 'ocspSigningCert cert-pki-ca'
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=GSSLAB.PNQ2.REDHAT.COM"
        Validity:
            Not Before: Mon Apr 03 12:05:38 2017
            Not After : Sun Mar 24 12:05:38 2019
        Subject: "CN=OCSP Subsystem,O=GSSLAB.PNQ2.REDHAT.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    c1:29:89:5e:e7:a6:62:12:26:61:55:10:f8:3d:d1:86:
                    f7:9c:56:74:87:67:d3:ff:5e:8e:ec:bc:70:21:95:e1:
                    5a:d8:af:e5:71:be:85:b5:b6:58:59:cf:b5:76:d3:43:
                    23:88:45:cb:68:3c:58:25:3b:66:33:03:8f:45:df:bb:
                    7f:cc:1c:b7:b8:9d:46:7d:a1:89:7c:71:31:d7:f9:26:
                    df:bb:2c:b1:67:93:20:75:ba:df:63:1e:3e:97:2b:16:
                    4f:c5:24:c7:17:d7:b9:cd:99:57:c8:26:9e:37:c0:92:
                    f9:0b:36:c2:1d:67:9b:49:9b:54:9c:11:6c:12:ea:62:
                    36:4e:a9:12:b5:c2:8b:d1:82:3b:6f:16:90:f7:8a:1d:
                    16:77:86:99:34:a5:f4:00:66:f7:8b:ac:b6:ef:af:6a:
                    8c:dd:32:5a:37:31:f3:4a:a1:bc:bd:9e:b7:33:f0:40:
                    de:0b:e9:69:51:ee:d7:2b:2f:96:eb:20:11:18:ba:59:
                    08:c2:bd:c2:ac:76:37:d5:46:b9:e6:4f:a3:3c:ce:17:
                    9c:54:f9:2d:7a:71:43:0b:a5:0f:15:fb:3b:16:be:15:
                    6d:da:f3:ae:68:74:34:90:e4:6e:0e:2a:bf:95:45:f6:
                    80:de:0c:93:3a:32:6b:63:6d:16:e1:bf:93:88:2b:57
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                36:08:17:21:85:78:f3:9a:01:84:2c:bd:57:9d:a2:7c:
                1b:f8:2a:23

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location: 
                URI: "http://ipa-ca.gsslab.pnq2.redhat.com/ca/ocsp"

            Name: Extended Key Usage
                OCSP Responder Certificate

            Name: OCSP No Check Extension
            Data: NULL

    Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
    Signature:
        e8:c7:e3:56:f4:40:11:e1:7c:88:49:2b:e3:b6:13:23:
        0e:77:ee:3a:ea:ae:8f:3c:ea:02:12:71:f6:62:70:28:
        34:b7:c1:08:11:f7:6e:2d:85:14:64:8d:31:06:16:8e:
        c0:1b:4f:0f:c4:76:90:b1:9f:65:e0:59:8e:d6:a8:7f:
        08:88:dd:33:f7:bb:c5:6c:27:15:9e:bb:87:66:eb:ae:
        03:b7:4b:3b:fc:95:ae:d1:fb:4e:81:90:78:13:58:4f:
        30:30:16:47:26:81:17:20:ee:26:58:4c:5d:b1:d1:82:
        25:2c:b6:72:74:e6:80:ac:bc:bf:25:4f:e2:e0:f2:ec:
        91:0f:5b:4e:6a:08:d9:5c:2c:b6:b9:54:b8:35:f7:8e:
        9f:c0:28:fa:d2:25:2a:c7:d1:6d:18:13:5c:94:30:6f:
        a5:ea:6c:07:95:a1:da:1b:c1:40:20:d9:08:4c:93:8b:
        51:75:72:69:32:c6:f8:40:c1:5a:5b:40:b3:5f:23:eb:
        af:a9:c8:80:f0:db:93:7e:5a:0f:ce:d6:5e:3f:53:ed:
        00:c1:b7:12:18:c3:1f:f5:bb:e3:2a:c7:11:37:00:9a:
        51:57:b0:89:39:e2:55:43:8d:c8:62:c5:83:2d:58:cd:
        10:7e:6b:50:c2:0f:d1:57:ce:7a:b9:db:38:b1:76:60
    Fingerprint (SHA-512):
        1F:4F:E1:00:E2:1A:23:1D:83:59:39:25:82:F7:4E:A9:EE:BA:2B:F3:19:99:41:1B:CC:C7:06:B2:6B:9E:35:EE
    Fingerprint (SHA1):
        45:4C:04:56:B4:04:74:AD:A7:A6:B1:89:DB:A2:16:01:0B:D1:53:20

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

[root@vm252-174 ~]# 
----------

Comment 5 Rob Crittenden 2018-04-18 17:24:51 UTC
The CA in the attached log shows it is signed with sha512WithRSAEncryption.

I think there is a misunderstanding. The option only affects the signing algorithm used for the CA, NOT for the certificates issued by the CA.

A separate option in pki-spawn is needed for that, pki_ca_signing_signing_algorithm, which IPA does not supply and the default is sha256.

Comment 8 Alexander Bokovoy 2018-07-09 13:41:30 UTC
These settings can be changed in /etc/pki/default.cfg before deploying an IPA CA. There is strictly no need to change IPA for achieving it.

Comment 9 Alexander Bokovoy 2018-07-09 13:51:59 UTC
This is documented in pki_default.cfg(5) man page.


Note You need to log in before you can comment on or make changes to this bug.