1669257 – [RFE] Offline Certificate Renewal System

Bug 1669257 - [RFE] Offline Certificate Renewal System

Summary: [RFE] Offline Certificate Renewal System

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	8.0
Assignee:	Dinesh Prasanth
QA Contact:	Asha Akkiangady
Docs Contact:	Marc Muehlfeld
URL:
Whiteboard:
Duplicates (1):	1403016 (view as bug list)
Depends On:	1468348 1690191 1696849
Blocks:	1644708 1472344 1550132
TreeView+	depends on / blocked

Reported:	2019-01-24 18:53 UTC by Matthew Harmsen
Modified:	2019-06-14 01:20 UTC (History)
CC List:	4 users (show)
Fixed In Version:	pki-core-10.6-820181130193715.5a87be8a
Doc Type:	Enhancement
Doc Text:	.Certificate System now supports offline renewal of system certificates With this enhancement, administrators can use the offline renewal feature to renew system certificates configured in Certificate System. When a system certificate expires, Certificate System fails to start. As a result of the enhancement, administrators no longer need workarounds to replace an expired system certificate.
Clone Of:	1468348
Environment:
Last Closed:	2019-06-14 01:20:24 UTC
Type:	Bug
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)
Verified Steps (19.23 KB, text/plain) 2019-02-20 06:51 UTC, Sudhir Menon	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Comment 1 Dinesh Prasanth 2019-01-24 19:33:38 UTC

This feature must be available since v10.6.8

Steps for verification:
=======================
1. Install CA, KRA
2. Renew ca-admin beyond system cert's expiration date
3. Import new admin cert into client NSS Db and also add it to the LDAP (NOTE: LDAP Accepts only valid certs. If the cert is not yet valid, an error is thrown)
4. Change the system date beyond system cert's expiration date
5. Run `pki-server cert-fix --cert <cert_id>  # To renew 1 cert 
   OR
   Run `pki-server cert-fix` # To renew ALL certs 
6. Check whether the PKI server is up

NOTE: `pki-server cert-find` should give you a list of all available <cert_ID>s available in the system

To import admin cert into client NSS DB and LDAP, you can refer the upstream docs:
https://www.dogtagpki.org/wiki/PKI_Client_CLI
https://www.dogtagpki.org/wiki/PKI_User_Certificate_CLI

Comment 7 Sudhir Menon 2019-02-20 06:45:30 UTC

Fix is seen. 

Verified using 
[root@pki test]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.0 Beta (Ootpa)

[root@pki test]# rpm -qa | grep pki
pki-base-10.6.9-2.module+el8+2728+a4ad6bba.noarch
pki-base-java-10.6.9-2.module+el8+2728+a4ad6bba.noarch
pki-servlet-container-9.0.7-13.module+el8+2468+c564cec5.noarch
python3-pki-10.6.9-2.module+el8+2728+a4ad6bba.noarch
pki-symkey-10.6.9-2.module+el8+2728+a4ad6bba.x86_64
pki-tools-10.6.9-2.module+el8+2728+a4ad6bba.x86_64
pki-ca-10.6.9-2.module+el8+2728+a4ad6bba.noarch
pki-servlet-4.0-api-9.0.7-13.module+el8+2468+c564cec5.noarch
pki-server-10.6.9-2.module+el8+2728+a4ad6bba.noarch

Comment 8 Sudhir Menon 2019-02-20 06:51:44 UTC

Created attachment 1536592 [details]
Verified Steps

Comment 9 Sudhir Menon 2019-02-20 06:53:08 UTC

Marking the bug as VERIFIED as per comment #7 and #8.

Comment 10 Dinesh Prasanth 2019-02-20 08:56:00 UTC

Corner cases identified:
========================

1. PKI server needs to operate on default secure port 8443 for the `cert-fix` tool to submit system certificates renewal request.

Sol: The port is hardcoded: https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/__init__.py#L378   We can modify the code to accept a port number via `-p <port>` option.

2. While running the `cert-fix` tool, we saw the following error.


````
[root@master test]# pki-server cert-fix -d . -c Secret123 -n caadmin2 --cert sslserver -i topology-02-CA
ERROR: HTTPSConnectionPool(host='master.rhel80.test', port=8443): Max retries exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal (Caused by SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3550)'),))

````

This error was seen only when `Root CA signing` cert was imported into the client NSS db.

Comment 11 Dinesh Prasanth 2019-02-27 12:10:05 UTC

To track corner cases, a new BZ has been filed: https://bugzilla.redhat.com/show_bug.cgi?id=1679480

Comment 14 Matthew Harmsen 2019-06-10 23:47:11 UTC

*** Bug 1403016 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.