Bug 1581135 - SAN in internal SSL server certificate in pkispawn configuration step [rhel-7.5.z]
Summary: SAN in internal SSL server certificate in pkispawn configuration step [rhel-7...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.6
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Christina Fu
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Depends On: 1562423
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-22 08:33 UTC by Oneata Mircea Teodor
Modified: 2018-06-26 16:48 UTC (History)
5 users (show)

Fixed In Version: pki-core-10.5.1-12.el7_5
Doc Type: Enhancement
Doc Text:
With this update, Certificate System adds the Subject Alternative Name (SAN) extension by default to server certificates and sets it to the Common Name (CN) of the certificate.
Clone Of: 1562423
Environment:
Last Closed: 2018-06-26 16:47:59 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1979 None None None 2018-06-26 16:48:33 UTC
Fedora Pagure 2979 None None None 2018-05-22 08:33:51 UTC

Description Oneata Mircea Teodor 2018-05-22 08:33:49 UTC
This bug has been copied from bug #1562423 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 2 Matthew Harmsen 2018-05-22 14:25:29 UTC
 Christina Fu 2018-05-18 21:35:12 EDT

Test Procedure:

* Install a CA (with single step pkispawn is good): When complete, check that its SSL server cert bears the Subject Alternative Name (SAN) extension that matches the CN of the cert.

* Install a KRA (on a separate Tomcat instance; (with single step pkispawn is good)): When complete, check that its SSL SSL server cert bears the Subject Alternative Name (SAN) extension that matches the CN of the cert.

* You could test install another subsystem (e.g. subCA) and do the same check.
It should be enough, as far as installation goes.

* Since I changed all *Server* profiles (not limited to the
   *InternalAuthServerCert* ones), you can manually test those too.

* Note that it appears that I have added the changes to the caCMC*server* ones previously.  You could go through CMC enrollment procedure and check them as well.

Comment 3 Matthew Harmsen 2018-05-22 14:49:21 UTC
commit 7eae0d840c1b7494db2cea67744366fe409eafea (HEAD -> DOGTAG_10_5_BRANCH, ori
gin/DOGTAG_10_5_BRANCH)
Author: Christina Fu <cfu@redhat.com>
Date:   Thu May 17 19:36:10 2018 -0700

    Ticket #2995 SAN in internal SSL server certificate in pkispawn configuratio
n step
    
    This patch adds CommonNameToSANDefault to all server profiles so that
    SAN will be placed in server certs by default.
    For more flexible SAN or multi-value SAN, SubjectAltNameExtDefault
    will have to be used instead.
    
    fixes: https://pagure.io/dogtagpki/issue/2995
    
    Change-Id: I66556f2cb8ed4e1cbe2d0949c5848c6978ea9641

Comment 7 Sumedh Sidhaye 2018-05-29 05:22:17 UTC
Build used for verification:

[root@pki1 ~]# rpm -qi pki-base
Name        : pki-base
Version     : 10.5.1
Release     : 12.el7_5
Architecture: noarch
Install Date: Thursday 24 May 2018 11:50:10 PM EDT
Group       : System Environment/Base
Size        : 2121862
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.5.1-12.el7_5.src.rpm
Build Date  : Wednesday 23 May 2018 11:58:47 AM EDT
Build Host  : ppc-021.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - PKI Framework



Certificate information for CA

Subject: CN=pki1.example.com,OU=topology-02-CA,O=topology-02_Foobarmaster.org


Identifier: Subject Alternative Name - 2.5.29.17
    Critical: no 
    Value: 
        DNSName: pki1.example.com


===========================


Certificate information for KRA

Subject: CN=pki1.example.com,OU=topology-02-KRA,O=topology-02_Foobarmaster.org

Identifier: Subject Alternative Name - 2.5.29.17
    Critical: no 
    Value: 
        DNSName: pki1.example.com


==============================


Certificate information for Sub CA

Subject: CN=pki1.example.com,OU=topology-02-Sub-CA,O=topology-02_Foobarmaster.org

Identifier: Subject Alternative Name - 2.5.29.17
    Critical: no 
    Value: 
        DNSName: pki1.example.com

Comment 8 Sumedh Sidhaye 2018-05-29 10:02:05 UTC
Certificate information using CMC enrollment:

Subject: CN=nocp4.idm.lab.eng.rdu2.redhat.com,OU=pki-tomcate,O=mySecurityDomain

Identifier: Subject Alternative Name - 2.5.29.17
    Critical: no 
    Value: 
        DNSName: nocp4.idm.lab.eng.rdu2.redhat.com

Comment 10 errata-xmlrpc 2018-06-26 16:47:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1979


Note You need to log in before you can comment on or make changes to this bug.