Bug 1656297
| Summary: | Unable to install with admin-generated keys [rhel-7.6.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | RAD team bot copy to z-stream <autobot-eus-copy> |
| Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | high | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | high | ||
| Version: | 7.5 | CC: | aakkiang, cpelland, edewata, lmiksik, mharmsen, msauton, rpattath |
| Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.5.9-8.el7_6 | Doc Type: | Enhancement |
| Doc Text: |
Previously, during a Certificate System installation, the pkispawn utility only supported creating new keys and importing existing keys for system certificates. With this enhancement, pkispawn now supports using keys the administrator generates directly in the NSS database during certificate authority (CA), key recovery authority (KRA), and online certificate status protocol (OCSP) installations.
|
Story Points: | --- |
| Clone Of: | 1616134 | Environment: | |
| Last Closed: | 2019-01-29 17:21:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1616134 | ||
| Bug Blocks: | |||
|
Description
RAD team bot copy to z-stream
2018-12-05 07:53:56 UTC
Test Procedure: See https://bugzilla.redhat.com/show_bug.cgi?id=1616134#c5 DOGTAG_10_5_9_RHEL_BRANCH:
commit 0115c05727962dac2bdb3865388144315719a0b0
Author: Endi S. Dewata <edewata>
Date: Fri Aug 24 03:36:15 2018 +0200
Added docs for installation with custom keys
https://pagure.io/dogtagpki/issue/3053
Change-Id: I8f8fdbb7cc1888092bd7ba686a626137113ed2d5
(cherry picked from commit a8405a1f8bd4c3fd10213725a32da0419e622252)
commit 4886a7f4fa3678cd26c7c38c5140784dc53b76b5
Author: Endi S. Dewata <edewata>
Date: Tue Oct 2 18:11:43 2018 +0200
Updated pki-server subsystem-cert-validate output
The pki-server subsystem-cert-validate CLI has been modified to
show the actual message generated by NSS if the validation fails.
(cherry picked from commit eb8baf8b51e3c897caddbc16df2fd226308a0876)
commit a3d27ed43b9c119cfaff100573d89c2caa08e3b7
Author: Endi S. Dewata <edewata>
Date: Fri Sep 7 16:32:47 2018 +0200
Fixed password generation in pkispawn
Previously the NSS database passwords were generated in
pkiparser.py. Under certain scenarios the password may be
overwritten by a subsequent code in pkispawn. To avoid the
problem the code that generates the NSS database passwords
has been moved into the initialization scriptlet.
https://pagure.io/dogtagpki/issue/3061
Change-Id: Ieabfaea7465b615f214820d2ed877f4da589dadb
(cherry picked from commit 9a984ee0a709645fe9b6044367ed28076692ee86)
commit ea9b582909d10d8f6c485860615319b6f6c31741
Author: Endi S. Dewata <edewata>
Date: Fri Aug 31 00:32:44 2018 +0200
Renamed server NSS database parameters
The following parameters have been renamed for consistency:
* pki_database_path -> pki_server_database_path
* pki_pin -> pki_server_database_password
The old parameters are still usable but they have been
deprecated.
The pki_client_pin is redundant so it has been removed.
https://pagure.io/dogtagpki/issue/3053
Change-Id: I243a01b360f573a16a160e9a415f786e38681603
(cherry picked from commit 80defb1b7602eb59f5ee817a76acac86490ce853)
commit 6c7079adf8878a2c799cd716c3df9ec75816accd
Author: Endi S. Dewata <edewata>
Date: Thu Aug 23 06:10:44 2018 +0200
Fixed pki client-cert-import to accept PKCS #7 CA cert chain
The NSSDatabase.add_cert() has been modified to accept both single
certificates and PKCS #7 certificate chains in PEM format.
The pki client-cert-import has been modified to support importing
CA cert chain in PKCS #7 format.
The Cert.parseCertificate() has been modified to parse PKCS #7
cert chain properly.
https://pagure.io/dogtagpki/issue/3053
Change-Id: Ibeffcfa4915638df7b13a0cb6deb8c4afc775ca1
(cherry picked from commit 9cef57869f01e89653331c0e22c9d3bacf7744ce)
commit e3b8099fb20b6806020bab1a1687340da643eacf
Author: Endi S. Dewata <edewata>
Date: Tue Aug 21 20:01:30 2018 +0200
Fixed messages for installation with custom keys
The pkispawn has been modified to display the proper message
for installation with custom keys where the CSRs will not be
generated.
https://pagure.io/dogtagpki/issue/3053
Change-Id: Ibd0ae62c88c2b10520231de3e485e305c715218c
(cherry picked from commit e50f3b0b6034c2c18a0775f2e91fd2e5ea21678f)
commit e2563b186203e5e89d281ff5c39ca182f62cfefa
Author: Endi S. Dewata <edewata>
Date: Tue Aug 21 01:03:11 2018 +0200
Added support for installation with custom CSRs
The installation code has been modified to import custom
CSRs for KRA and OCSP system certicates if provided. The
CA installation already supports this functionality.
https://pagure.io/dogtagpki/issue/3053
Change-Id: Ic6a7a462bf07f2ca07275a01fc04b8d194005188
(cherry picked from commit 88271a9b3d829669fb997ee6158081da18faed97)
commit b9867142f4971a98b6c79ba16788db8829dfd79d
Author: Endi S. Dewata <edewata>
Date: Mon Aug 20 23:14:25 2018 +0200
Removed default CSR paths
The default.cfg has been modified to remove default CSR paths.
The verify_predefined_configuration_file_data() has been modified
to no longer require CSR path parameters in the first step of
external CA scenario.
https://pagure.io/dogtagpki/issue/3053
Change-Id: Idef6849b8bd7ee00d13151e0de10357a1f1d9ef2
(cherry picked from commit f3dc6c79370d8b57362272c40bd9f67aaf791710)
commit 2a0d9c8c8ee7333198a8f5cb09c988eeeb3d528f
Author: Endi S. Dewata <edewata>
Date: Wed Aug 22 00:02:03 2018 +0200
Updated pki.nssdb to support multiple CSR delimiters types
The pki.nssdb module has been modified to support both standard
and legacy CSR delimiters as defined in RFC 7468.
https://pagure.io/dogtagpki/issue/3053
Change-Id: I609d640a66357f5293ff3a565027c1a395a47db7
(cherry picked from commit 8bf25507886c446594fa1bd82e3040ab79b271b3)
CA, KRA, OCSP and KRA installation with admin generated keys for RSA and ECC is successful. Marking the bug verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0168 |