Bug 1669257 - [RFE] Offline Certificate Renewal System
Summary: [RFE] Offline Certificate Renewal System
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.0
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: 8.0
Assignee: Dinesh Prasanth
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
: 1403016 (view as bug list)
Depends On: 1696849 1468348 1690191
Blocks: 1644708 1472344 1550132
TreeView+ depends on / blocked
 
Reported: 2019-01-24 18:53 UTC by Matthew Harmsen
Modified: 2019-06-14 01:20 UTC (History)
4 users (show)

Fixed In Version: pki-core-10.6-820181130193715.5a87be8a
Doc Type: Enhancement
Doc Text:
.Certificate System now supports offline renewal of system certificates With this enhancement, administrators can use the offline renewal feature to renew system certificates configured in Certificate System. When a system certificate expires, Certificate System fails to start. As a result of the enhancement, administrators no longer need workarounds to replace an expired system certificate.
Clone Of: 1468348
Environment:
Last Closed: 2019-06-14 01:20:24 UTC
Type: Bug


Attachments (Terms of Use)
Verified Steps (19.23 KB, text/plain)
2019-02-20 06:51 UTC, Sudhir Menon
no flags Details

Comment 1 Dinesh Prasanth 2019-01-24 19:33:38 UTC
This feature must be available since v10.6.8

Steps for verification:
=======================
1. Install CA, KRA
2. Renew ca-admin beyond system cert's expiration date
3. Import new admin cert into client NSS Db and also add it to the LDAP (NOTE: LDAP Accepts only valid certs. If the cert is not yet valid, an error is thrown)
4. Change the system date beyond system cert's expiration date
5. Run `pki-server cert-fix --cert <cert_id>  # To renew 1 cert 
   OR
   Run `pki-server cert-fix` # To renew ALL certs 
6. Check whether the PKI server is up

NOTE: `pki-server cert-find` should give you a list of all available <cert_ID>s available in the system

To import admin cert into client NSS DB and LDAP, you can refer the upstream docs:
https://www.dogtagpki.org/wiki/PKI_Client_CLI
https://www.dogtagpki.org/wiki/PKI_User_Certificate_CLI

Comment 7 Sudhir Menon 2019-02-20 06:45:30 UTC
Fix is seen. 

Verified using 
[root@pki test]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.0 Beta (Ootpa)

[root@pki test]# rpm -qa | grep pki
pki-base-10.6.9-2.module+el8+2728+a4ad6bba.noarch
pki-base-java-10.6.9-2.module+el8+2728+a4ad6bba.noarch
pki-servlet-container-9.0.7-13.module+el8+2468+c564cec5.noarch
python3-pki-10.6.9-2.module+el8+2728+a4ad6bba.noarch
pki-symkey-10.6.9-2.module+el8+2728+a4ad6bba.x86_64
pki-tools-10.6.9-2.module+el8+2728+a4ad6bba.x86_64
pki-ca-10.6.9-2.module+el8+2728+a4ad6bba.noarch
pki-servlet-4.0-api-9.0.7-13.module+el8+2468+c564cec5.noarch
pki-server-10.6.9-2.module+el8+2728+a4ad6bba.noarch

Comment 8 Sudhir Menon 2019-02-20 06:51:44 UTC
Created attachment 1536592 [details]
Verified Steps

Comment 9 Sudhir Menon 2019-02-20 06:53:08 UTC
Marking the bug as VERIFIED as per comment #7 and #8.

Comment 10 Dinesh Prasanth 2019-02-20 08:56:00 UTC
Corner cases identified:
========================

1. PKI server needs to operate on default secure port 8443 for the `cert-fix` tool to submit system certificates renewal request.

Sol: The port is hardcoded: https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/__init__.py#L378   We can modify the code to accept a port number via `-p <port>` option.

2. While running the `cert-fix` tool, we saw the following error.


````
[root@master test]# pki-server cert-fix -d . -c Secret123 -n caadmin2 --cert sslserver -i topology-02-CA
ERROR: HTTPSConnectionPool(host='master.rhel80.test', port=8443): Max retries exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal (Caused by SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3550)'),))

````

This error was seen only when `Root CA signing` cert was imported into the client NSS db.

Comment 11 Dinesh Prasanth 2019-02-27 12:10:05 UTC
To track corner cases, a new BZ has been filed: https://bugzilla.redhat.com/show_bug.cgi?id=1679480

Comment 14 Matthew Harmsen 2019-06-10 23:47:11 UTC
*** Bug 1403016 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.