1579384 – [RFE] add check for key usage Key Encipherment to katello-certs-check

Bug 1579384 - [RFE] add check for key usage Key Encipherment to katello-certs-check

Summary: [RFE] add check for key usage Key Encipherment to katello-certs-check

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Certificates
Sub Component:
Version:	6.3.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	6.4.0
Assignee:	Chris Roberts
QA Contact:	Nikhil Kathole
Docs Contact:
URL:	https://projects.theforeman.org/issue...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-05-17 14:02 UTC by Paul Dudley
Modified:	2024-02-28 20:32 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-16 15:30:48 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	22598	Normal	Closed	Satellite 6: katello-certs-check does not ensures certificate has SubjectAltName	2021-01-29 06:31:58 UTC
Github	Katello katello-installer pull 632	'None'	closed	Fixes #22598 - add check for key usage Key Encipherment	2021-01-29 06:31:57 UTC
Red Hat Product Errata	RHSA-2018:2927	None	None	None	2018-10-16 15:32:18 UTC

Description Paul Dudley 2018-05-17 14:02:58 UTC

Currently, using certs without Key Encipherment will pass katello-certs-check, but these certificates will ultimately fail when clients attempt to retrieve updates:

From a client update attempt:
https://satellite.example.com/pulp/repos/ORG/ENV/VIEW/content/dist/rhel/server/7/7Server/x86_64/optional/os/repodata/repomd.xml: [Errno 14] curl#60 - "Certificate key usage inadequate for attempted operation."

Certificates without Key Encipherment should fail in the certs check to avoid deployment of certs that ultimately fail when used.

Comment 5 Nikhil Kathole 2018-08-16 08:24:49 UTC

VERIFIED

Version tested:
Satellite 6.4 snap 17

#  openssl x509 -text -in server.valid.crt -noout | grep -A1 "Key Usage"
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment


Checking server certificate's encoding: [OK]
Checking expiration of certificate: [OK]
Checking expiration of CA bundle: [OK]
Checking if server cert has CA:TRUE flag[OK]
Validating the certificate subject= /C=IN/ST=Maharashtra/L=Pune/O=redhat/OU=QE/CN=xyz/emailAddress=administrator
Checking to see if the private key matches the certificate: [OK]
Checking ca bundle against the cert file: [OK]
Checking Subject Alt Name on certificate[OK]
Checking Key Usage extension on certificate for Key Encipherment[OK]

Validation succeeded.

To install the Katello main server with the custom certificates, run:

    satellite-installer --scenario satellite\
                      --certs-server-cert "/root/server.valid.crt"\
                      --certs-server-key "/root/server.key"\
                      --certs-server-ca-cert "/root/rootCA.pem"

To update the certificates on a currently running Katello installation, run:

    satellite-installer --scenario satellite\
                      --certs-server-cert "/root/server.valid.crt"\
                      --certs-server-key "/root/server.key"\
                      --certs-server-ca-cert "/root/rootCA.pem"\
                      --certs-update-server --certs-update-server-ca

To use them inside a NEW $FOREMAN_PROXY, run this command:

    capsule-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\
                                 --certs-tar  "~/$FOREMAN_PROXY-certs.tar"\
                                 --server-cert "/root/server.valid.crt"\
                                 --server-key "/root/server.key"\
                                 --server-ca-cert "/root/rootCA.pem"\

To use them inside an EXISTING $FOREMAN_PROXY, run this command INSTEAD:

    capsule-certs-generate --foreman-proxy-fqdn "$FOREMAN_PROXY"\
                                 --certs-tar  "~/$FOREMAN_PROXY-certs.tar"\
                                 --server-cert "/root/server.valid.crt"\
                                 --server-key "/root/server.key"\
                                 --server-ca-cert "/root/rootCA.pem"\
                                 --certs-update-server

Comment 7 errata-xmlrpc 2018-10-16 15:30:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2927

Note You need to log in before you can comment on or make changes to this bug.