RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1581134 - ECC installation for non CA subsystems needs improvement [rhel-7.5.z]
Summary: ECC installation for non CA subsystems needs improvement [rhel-7.5.z]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.5
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Jack Magne
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Depends On: 1568615
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-22 08:32 UTC by Oneata Mircea Teodor
Modified: 2022-07-09 09:39 UTC (History)
7 users (show)

Fixed In Version: pki-core-10.5.1-12.el7_5
Doc Type: Bug Fix
Doc Text:
Previously, due to a bug in the Certificate System installation procedure, installing a Key Recovery Authority (KRA) with ECC keys failed. To fix the problem, the installation process has been updated to handle both RSA and ECC subsystems automatically. As a result, installing subsystems with ECC keys no longer fail.
Clone Of: 1568615
Environment:
Last Closed: 2018-06-26 16:47:59 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1979 0 None None None 2018-06-26 16:48:33 UTC

Description Oneata Mircea Teodor 2018-05-22 08:32:40 UTC
This bug has been copied from bug #1568615 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 6 Asha Akkiangady 2018-05-30 17:34:20 UTC
The first step of subordinate CA ECC install is failing with following error:

pkispawn    : INFO     ....... executing 'certutil -N -d /opt/ECC_SubCA/certs_db -f /opt/ECC_SubCA/ca/password.conf'
pkispawn    : INFO     ....... generating ca_signing CSR in ca_signing_ecc_subca_nontms.csr
pki.nssdb   : DEBUG    Command: openssl rand -out /tmp/tmpN78KVo/noise.bin 2048
pki.nssdb   : DEBUG    Command: certutil -R -d /var/lib/pki/rhcs93-ECC-NonTMS-SubCA-nocp11-aakkiang/alias -h NHSM6000-OCS -f /tmp/tmpRAKzv5/password.txt -s cn=CA Signing Certificate,ou=rhcs93-ECC-NonTMS-SubCA-nocp11-aakkiang,o=Example-ECC-SubCA -o /tmp/tmpN78KVo/request.bin -z /tmp/tmpN78KVo/noise.bin -k ec -q nistp256 -Z SHA256 --keyUsage certSigning,crlSigning,critical,digitalSignature,nonRepudiation -2
pkispawn    : DEBUG    ....... Error Type: Exception
pkispawn    : DEBUG    ....... Error Message: Failed to generate certificate request. RC: 255
pkispawn    : DEBUG    .......   File "/usr/sbin/pkispawn", line 534, in main
    scriptlet.spawn(deployer)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 1039, in spawn
    self.generate_system_cert_requests(deployer, nssdb, subsystem)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 340, in generate_system_cert_requests
    self.generate_ca_signing_csr(deployer, nssdb, subsystem)
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 164, in generate_ca_signing_csr
    generic_exts=generic_exts
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", line 115, in generate_csr
    generic_exts=generic_exts)
  File "/usr/lib/python2.7/site-packages/pki/nssdb.py", line 417, in create_request
    'Failed to generate certificate request. RC: %d' % rc)


Installation failed: Failed to generate certificate request. RC: 255

================================================
SubCA's pkispawn config file:
[DEFAULT]
pki_instance_name=rhcs93-ECC-NonTMS-SubCA-aakkiang
pki_https_port=31443
pki_http_port=31080

#NSS DB Token Password
pki_hsm_enable=True
pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
pki_hsm_modulename=nfast
pki_token_name=XXXXXXXX
pki_token_password=XXXXXXXX

pki_audit_signing_key_algorithm=SHA256withEC
pki_audit_signing_key_size=nistp256
pki_audit_signing_key_type=ecc
pki_audit_signing_signing_algorithm=SHA256withEC
pki_audit_signing_token=XXXXXXXX

pki_subsystem_key_algorithm=SHA256withEC
pki_subsystem_key_size=nistp256
pki_subsystem_key_type=ecc
pki_subsystem_signing_algorithm=SHA256withEC
pki_subsystem_token=XXXXXXXX
pki_subsystem_nickname=subsystemCert-NonTMS-SubCA-nocp11-aakkiang

pki_sslserver_key_algorithm=SHA256withEC
pki_sslserver_key_size=nistp256
pki_sslserver_key_type=ecc
pki_sslserver_signing_algorithm=SHA256withEC
pki_sslserver_token=XXXXXXXX
pki_sslserver_nickname=Server-Cert-NonTMS-SubCA-nocp11-aakkiang

#Admin
pki_admin_key_algorithm=SHA256withEC
pki_admin_key_size=nistp256
pki_admin_key_type=ecc
pki_admin_password=SECret.123

#Security Domain
pki_security_domain_hostname=XXXXXXXXXXXXXXXXXXXXXXX
pki_security_domain_name=Example-ECC-SubCA
pki_security_domain_password=SECret.123

#client Dir
pki_client_dir=/opt/ECC_SubCA
pki_client_admin_cert_p12=/opt/ECC_SubCA/subca_caadmincert.p12
pki_client_database_dir=/opt/ECC_SubCA/certs_db
pki_client_database_password=SECret.123
pki_client_pkcs12_password=SECret.123

#LDAP
pki_ds_ldap_port=1697
pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=SECret.123
pki_ds_secure_connection=True
pki_ds_ldaps_port=7636
pki_ds_secure_connection_ca_pem_file=/tmp/ldap2ca_cert.pem
pki_ds_remove_data=True


[Tomcat]
pki_ajp_port=31009
pki_tomcat_server_port=31005

[CA]
pki_admin_nickname=PKI ECC SUBCA Administrator

pki_ca_signing_key_algorithm=SHA256withEC
pki_ca_signing_key_size=nistp256
pki_ca_signing_key_type=ecc
pki_ca_signing_signing_algorithm=SHA256withEC
pki_ca_signing_token=XXXXXXXX
pki_ca_signing_nickname=caSigningCert-ECC-NonTMS-SubCA-nocp11-aakkiang

pki_ocsp_signing_key_algorithm=SHA256withEC
pki_ocsp_signing_key_size=nistp256
pki_ocsp_signing_key_type=ecc
pki_ocsp_signing_signing_algorithm=SHA256withEC
pki_ocsp_signing_token=XXXXXXXX
pki_ocsp_signing_nickname=ocspSigningCert-ECC-NonTMS-SubCA-nocp11-aakkiang

pki_audit_signing_nickname=auditSigningCert-NonTMS-SubCA-nocp11-aakkiang

pki_admin_name=caadmin
pki_admin_uid=caadmin
pki_admin_email=example

pki_import_admin_cert=False

pki_ds_hostname=XXXXXXXXXXXXXXXXXXXXXXX
pki_ds_database=CC-ECC-NonTMS-SECOND-LDAP
pki_ds_base_dn=dc=ECC-NonTMS-SubCA

pki_external=True
pki_external_step_two=False
pki_ca_signing_csr_path=ca_signing_ecc_subca_nontms.csr

# Enable random serial numbers
pki_random_serial_numbers_enable=True

Comment 7 Asha Akkiangady 2018-05-30 18:06:32 UTC
A separate bug filed for the above issue, https://bugzilla.redhat.com/show_bug.cgi?id=1544843

Marking this bug ON_QA.

Comment 8 Amol K 2018-06-15 15:51:54 UTC
I'm successfully able to install CA, RKA, OCSP and able to do key archival.

But after TKS installation I'm able to see this issue: https://bugzilla.redhat.com/show_bug.cgi?id=1588411

Becuase of this issue I'm not able to install TPS. 

Currently marking this bug varified for CA, KRA, OCSP.

PKI Version: 10.5.1-13.1.el7_5

Comment 10 errata-xmlrpc 2018-06-26 16:47:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1979


Note You need to log in before you can comment on or make changes to this bug.