Bug 1579384 - [RFE] add check for key usage Key Encipherment to katello-certs-check
Summary: [RFE] add check for key usage Key Encipherment to katello-certs-check
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Certificates
Version: 6.3.1
Hardware: x86_64
OS: Linux
medium vote
Target Milestone: 6.4.0
Assignee: Chris Roberts
QA Contact: Nikhil Kathole
URL: https://projects.theforeman.org/issue...
Depends On:
TreeView+ depends on / blocked
Reported: 2018-05-17 14:02 UTC by Paul Dudley
Modified: 2019-11-05 23:19 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-10-16 15:30:48 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Github Katello katello-installer pull 632 'None' 'closed' 'Fixes #22598 - add check for key usage Key Encipherment' 2019-11-14 23:05:07 UTC
Foreman Issue Tracker 22598 'Normal' 'Closed' 'Satellite 6: katello-certs-check does not ensures certificate has SubjectAltName' 2019-11-14 23:05:06 UTC
Red Hat Product Errata RHSA-2018:2927 None None None 2018-10-16 15:32:18 UTC

Description Paul Dudley 2018-05-17 14:02:58 UTC
Currently, using certs without Key Encipherment will pass katello-certs-check, but these certificates will ultimately fail when clients attempt to retrieve updates:

From a client update attempt:
https://satellite.example.com/pulp/repos/ORG/ENV/VIEW/content/dist/rhel/server/7/7Server/x86_64/optional/os/repodata/repomd.xml: [Errno 14] curl#60 - "Certificate key usage inadequate for attempted operation."

Certificates without Key Encipherment should fail in the certs check to avoid deployment of certs that ultimately fail when used.

Comment 5 Nikhil Kathole 2018-08-16 08:24:49 UTC

Version tested:
Satellite 6.4 snap 17

#  openssl x509 -text -in server.valid.crt -noout | grep -A1 "Key Usage"
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment

Checking server certificate's encoding: [OK]
Checking expiration of certificate: [OK]
Checking expiration of CA bundle: [OK]
Checking if server cert has CA:TRUE flag[OK]
Validating the certificate subject= /C=IN/ST=Maharashtra/L=Pune/O=redhat/OU=QE/CN=xyz/emailAddress=administrator@example.com
Checking to see if the private key matches the certificate: [OK]
Checking ca bundle against the cert file: [OK]
Checking Subject Alt Name on certificate[OK]
Checking Key Usage extension on certificate for Key Encipherment[OK]

Validation succeeded.

To install the Katello main server with the custom certificates, run:

    satellite-installer --scenario satellite\
                      --certs-server-cert "/root/server.valid.crt"\
                      --certs-server-key "/root/server.key"\
                      --certs-server-ca-cert "/root/rootCA.pem"

To update the certificates on a currently running Katello installation, run:

    satellite-installer --scenario satellite\
                      --certs-server-cert "/root/server.valid.crt"\
                      --certs-server-key "/root/server.key"\
                      --certs-server-ca-cert "/root/rootCA.pem"\
                      --certs-update-server --certs-update-server-ca

To use them inside a NEW $FOREMAN_PROXY, run this command:

    capsule-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\
                                 --certs-tar  "~/$FOREMAN_PROXY-certs.tar"\
                                 --server-cert "/root/server.valid.crt"\
                                 --server-key "/root/server.key"\
                                 --server-ca-cert "/root/rootCA.pem"\

To use them inside an EXISTING $FOREMAN_PROXY, run this command INSTEAD:

    capsule-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\
                                 --certs-tar  "~/$FOREMAN_PROXY-certs.tar"\
                                 --server-cert "/root/server.valid.crt"\
                                 --server-key "/root/server.key"\
                                 --server-ca-cert "/root/rootCA.pem"\

Comment 7 errata-xmlrpc 2018-10-16 15:30:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.