Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1669257

Summary: [RFE] Offline Certificate Renewal System
Product: Red Hat Enterprise Linux 8 Reporter: Matthew Harmsen <mharmsen>
Component: pki-coreAssignee: Dinesh Prasanth <dmoluguw>
Status: CLOSED CURRENTRELEASE QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: urgent    
Version: 8.0CC: cpelland, dmoluguw, ftweedal, sumenon
Target Milestone: rcKeywords: FutureFeature, TestCaseProvided
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.6-820181130193715.5a87be8a Doc Type: Enhancement
Doc Text:
.Certificate System now supports offline renewal of system certificates With this enhancement, administrators can use the offline renewal feature to renew system certificates configured in Certificate System. When a system certificate expires, Certificate System fails to start. As a result of the enhancement, administrators no longer need workarounds to replace an expired system certificate.
 Story Points: ---
Clone Of: 1468348 Environment:
Last Closed: 2019-06-14 01:20:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1468348, 1690191, 1696849    
Bug Blocks: 1472344, 1550132, 1644708    
Attachments:
Description Flags
Verified Steps none

Comment 1 Dinesh Prasanth 2019-01-24 19:33:38 UTC 
This feature must be available since v10.6.8

Steps for verification:
=======================
1. Install CA, KRA
2. Renew ca-admin beyond system cert's expiration date
3. Import new admin cert into client NSS Db and also add it to the LDAP (NOTE: LDAP Accepts only valid certs. If the cert is not yet valid, an error is thrown)
4. Change the system date beyond system cert's expiration date
5. Run `pki-server cert-fix --cert <cert_id>  # To renew 1 cert 
   OR
   Run `pki-server cert-fix` # To renew ALL certs 
6. Check whether the PKI server is up

NOTE: `pki-server cert-find` should give you a list of all available <cert_ID>s available in the system

To import admin cert into client NSS DB and LDAP, you can refer the upstream docs:
https://www.dogtagpki.org/wiki/PKI_Client_CLI
https://www.dogtagpki.org/wiki/PKI_User_Certificate_CLI
Comment 7 Sudhir Menon 2019-02-20 06:45:30 UTC 
Fix is seen. 

Verified using 
[root@pki test]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.0 Beta (Ootpa)

[root@pki test]# rpm -qa | grep pki
pki-base-10.6.9-2.module+el8+2728+a4ad6bba.noarch
pki-base-java-10.6.9-2.module+el8+2728+a4ad6bba.noarch
pki-servlet-container-9.0.7-13.module+el8+2468+c564cec5.noarch
python3-pki-10.6.9-2.module+el8+2728+a4ad6bba.noarch
pki-symkey-10.6.9-2.module+el8+2728+a4ad6bba.x86_64
pki-tools-10.6.9-2.module+el8+2728+a4ad6bba.x86_64
pki-ca-10.6.9-2.module+el8+2728+a4ad6bba.noarch
pki-servlet-4.0-api-9.0.7-13.module+el8+2468+c564cec5.noarch
pki-server-10.6.9-2.module+el8+2728+a4ad6bba.noarch
Comment 8 Sudhir Menon 2019-02-20 06:51:44 UTC 
Created attachment 1536592 [details]
Verified Steps
Comment 9 Sudhir Menon 2019-02-20 06:53:08 UTC 
Marking the bug as VERIFIED as per comment #7 and #8.
Comment 10 Dinesh Prasanth 2019-02-20 08:56:00 UTC 
Corner cases identified:
========================

1. PKI server needs to operate on default secure port 8443 for the `cert-fix` tool to submit system certificates renewal request.

Sol: The port is hardcoded: https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/__init__.py#L378   We can modify the code to accept a port number via `-p <port>` option.

2. While running the `cert-fix` tool, we saw the following error.


````
[root@master test]# pki-server cert-fix -d . -c Secret123 -n caadmin2 --cert sslserver -i topology-02-CA
ERROR: HTTPSConnectionPool(host='master.rhel80.test', port=8443): Max retries exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal (Caused by SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3550)'),))

````

This error was seen only when `Root CA signing` cert was imported into the client NSS db.
Comment 11 Dinesh Prasanth 2019-02-27 12:10:05 UTC 
To track corner cases, a new BZ has been filed: https://bugzilla.redhat.com/show_bug.cgi?id=1679480
Comment 14 Matthew Harmsen 2019-06-10 23:47:11 UTC 
*** Bug 1403016 has been marked as a duplicate of this bug. ***