Bug 1669257 - [RFE] Offline Certificate Renewal System
Summary: [RFE] Offline Certificate Renewal System
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.0
Assignee: Dinesh Prasanth
QA Contact: Asha Akkiangady
Marc Muehlfeld
: 1403016 (view as bug list)
Depends On: 1468348 1690191 1696849
Blocks: 1644708 1472344 1550132
TreeView+ depends on / blocked
Reported: 2019-01-24 18:53 UTC by Matthew Harmsen
Modified: 2019-06-14 01:20 UTC (History)
4 users (show)

Fixed In Version: pki-core-10.6-820181130193715.5a87be8a
Doc Type: Enhancement
Doc Text:
.Certificate System now supports offline renewal of system certificates With this enhancement, administrators can use the offline renewal feature to renew system certificates configured in Certificate System. When a system certificate expires, Certificate System fails to start. As a result of the enhancement, administrators no longer need workarounds to replace an expired system certificate.
Clone Of: 1468348
Last Closed: 2019-06-14 01:20:24 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
Verified Steps (19.23 KB, text/plain)
2019-02-20 06:51 UTC, Sudhir Menon
no flags Details

Comment 1 Dinesh Prasanth 2019-01-24 19:33:38 UTC
This feature must be available since v10.6.8

Steps for verification:
1. Install CA, KRA
2. Renew ca-admin beyond system cert's expiration date
3. Import new admin cert into client NSS Db and also add it to the LDAP (NOTE: LDAP Accepts only valid certs. If the cert is not yet valid, an error is thrown)
4. Change the system date beyond system cert's expiration date
5. Run `pki-server cert-fix --cert <cert_id>  # To renew 1 cert 
   Run `pki-server cert-fix` # To renew ALL certs 
6. Check whether the PKI server is up

NOTE: `pki-server cert-find` should give you a list of all available <cert_ID>s available in the system

To import admin cert into client NSS DB and LDAP, you can refer the upstream docs:

Comment 7 Sudhir Menon 2019-02-20 06:45:30 UTC
Fix is seen. 

Verified using 
[root@pki test]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.0 Beta (Ootpa)

[root@pki test]# rpm -qa | grep pki

Comment 8 Sudhir Menon 2019-02-20 06:51:44 UTC
Created attachment 1536592 [details]
Verified Steps

Comment 9 Sudhir Menon 2019-02-20 06:53:08 UTC
Marking the bug as VERIFIED as per comment #7 and #8.

Comment 10 Dinesh Prasanth 2019-02-20 08:56:00 UTC
Corner cases identified:

1. PKI server needs to operate on default secure port 8443 for the `cert-fix` tool to submit system certificates renewal request.

Sol: The port is hardcoded: https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server/__init__.py#L378   We can modify the code to accept a port number via `-p <port>` option.

2. While running the `cert-fix` tool, we saw the following error.

[root@master test]# pki-server cert-fix -d . -c Secret123 -n caadmin2 --cert sslserver -i topology-02-CA
ERROR: HTTPSConnectionPool(host='master.rhel80.test', port=8443): Max retries exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal (Caused by SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3550)'),))


This error was seen only when `Root CA signing` cert was imported into the client NSS db.

Comment 11 Dinesh Prasanth 2019-02-27 12:10:05 UTC
To track corner cases, a new BZ has been filed: https://bugzilla.redhat.com/show_bug.cgi?id=1679480

Comment 14 Matthew Harmsen 2019-06-10 23:47:11 UTC
*** Bug 1403016 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.