Bug 1656297 - Unable to install with admin-generated keys [rhel-7.6.z]
Summary: Unable to install with admin-generated keys [rhel-7.6.z]
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.5
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Endi Sukma Dewata
QA Contact: Asha Akkiangady
Marc Muehlfeld
Depends On: 1616134
TreeView+ depends on / blocked
Reported: 2018-12-05 07:53 UTC by RAD team bot copy to z-stream
Modified: 2019-01-29 17:22 UTC (History)
7 users (show)

Fixed In Version: pki-core-10.5.9-8.el7_6
Doc Type: Enhancement
Doc Text:
Previously, during a Certificate System installation, the pkispawn utility only supported creating new keys and importing existing keys for system certificates. With this enhancement, pkispawn now supports using keys the administrator generates directly in the NSS database during certificate authority (CA), key recovery authority (KRA), and online certificate status protocol (OCSP) installations.
Clone Of: 1616134
Last Closed: 2019-01-29 17:21:57 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0168 0 None None None 2019-01-29 17:22:00 UTC

Description RAD team bot copy to z-stream 2018-12-05 07:53:56 UTC
This bug has been copied from bug #1616134 and has been proposed to be backported to 7.6 z-stream (EUS).

Comment 2 Matthew Harmsen 2018-12-05 15:42:13 UTC
Test Procedure:

See https://bugzilla.redhat.com/show_bug.cgi?id=1616134#c5

Comment 3 Matthew Harmsen 2018-12-05 19:11:00 UTC

commit 0115c05727962dac2bdb3865388144315719a0b0
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Fri Aug 24 03:36:15 2018 +0200

    Added docs for installation with custom keys
    Change-Id: I8f8fdbb7cc1888092bd7ba686a626137113ed2d5
    (cherry picked from commit a8405a1f8bd4c3fd10213725a32da0419e622252)

commit 4886a7f4fa3678cd26c7c38c5140784dc53b76b5
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Oct 2 18:11:43 2018 +0200

    Updated pki-server subsystem-cert-validate output
    The pki-server subsystem-cert-validate CLI has been modified to
    show the actual message generated by NSS if the validation fails.
    (cherry picked from commit eb8baf8b51e3c897caddbc16df2fd226308a0876)

commit a3d27ed43b9c119cfaff100573d89c2caa08e3b7
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Fri Sep 7 16:32:47 2018 +0200

    Fixed password generation in pkispawn
    Previously the NSS database passwords were generated in
    pkiparser.py. Under certain scenarios the password may be
    overwritten by a subsequent code in pkispawn. To avoid the
    problem the code that generates the NSS database passwords
    has been moved into the initialization scriptlet.
    Change-Id: Ieabfaea7465b615f214820d2ed877f4da589dadb
    (cherry picked from commit 9a984ee0a709645fe9b6044367ed28076692ee86)

commit ea9b582909d10d8f6c485860615319b6f6c31741
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Fri Aug 31 00:32:44 2018 +0200

    Renamed server NSS database parameters
    The following parameters have been renamed for consistency:
    * pki_database_path -> pki_server_database_path
    * pki_pin -> pki_server_database_password
    The old parameters are still usable but they have been
    The pki_client_pin is redundant so it has been removed.
    Change-Id: I243a01b360f573a16a160e9a415f786e38681603
    (cherry picked from commit 80defb1b7602eb59f5ee817a76acac86490ce853)

commit 6c7079adf8878a2c799cd716c3df9ec75816accd
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Aug 23 06:10:44 2018 +0200

    Fixed pki client-cert-import to accept PKCS #7 CA cert chain
    The NSSDatabase.add_cert() has been modified to accept both single
    certificates and PKCS #7 certificate chains in PEM format.
    The pki client-cert-import has been modified to support importing
    CA cert chain in PKCS #7 format.
    The Cert.parseCertificate() has been modified to parse PKCS #7
    cert chain properly.
    Change-Id: Ibeffcfa4915638df7b13a0cb6deb8c4afc775ca1
    (cherry picked from commit 9cef57869f01e89653331c0e22c9d3bacf7744ce)

commit e3b8099fb20b6806020bab1a1687340da643eacf
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Aug 21 20:01:30 2018 +0200

    Fixed messages for installation with custom keys
    The pkispawn has been modified to display the proper message
    for installation with custom keys where the CSRs will not be
    Change-Id: Ibd0ae62c88c2b10520231de3e485e305c715218c
    (cherry picked from commit e50f3b0b6034c2c18a0775f2e91fd2e5ea21678f)

commit e2563b186203e5e89d281ff5c39ca182f62cfefa
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Tue Aug 21 01:03:11 2018 +0200

    Added support for installation with custom CSRs
    The installation code has been modified to import custom
    CSRs for KRA and OCSP system certicates if provided. The
    CA installation already supports this functionality.
    Change-Id: Ic6a7a462bf07f2ca07275a01fc04b8d194005188
    (cherry picked from commit 88271a9b3d829669fb997ee6158081da18faed97)

commit b9867142f4971a98b6c79ba16788db8829dfd79d
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Mon Aug 20 23:14:25 2018 +0200

    Removed default CSR paths
    The default.cfg has been modified to remove default CSR paths.
    The verify_predefined_configuration_file_data() has been modified
    to no longer require CSR path parameters in the first step of
    external CA scenario.
    Change-Id: Idef6849b8bd7ee00d13151e0de10357a1f1d9ef2
    (cherry picked from commit f3dc6c79370d8b57362272c40bd9f67aaf791710)

commit 2a0d9c8c8ee7333198a8f5cb09c988eeeb3d528f
Author: Endi S. Dewata <edewata@redhat.com>
Date:   Wed Aug 22 00:02:03 2018 +0200

    Updated pki.nssdb to support multiple CSR delimiters types
    The pki.nssdb module has been modified to support both standard
    and legacy CSR delimiters as defined in RFC 7468.
    Change-Id: I609d640a66357f5293ff3a565027c1a395a47db7
    (cherry picked from commit 8bf25507886c446594fa1bd82e3040ab79b271b3)

Comment 7 Asha Akkiangady 2019-01-18 18:41:27 UTC
CA, KRA, OCSP and KRA installation with admin generated keys for RSA and ECC is successful.

Marking the bug verified.

Comment 9 errata-xmlrpc 2019-01-29 17:21:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.