1700520 – [Docs] Procedure for renewing a local CA in certmonger

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1700520 - [Docs] Procedure for renewing a local CA in certmonger

Summary: [Docs] Procedure for renewing a local CA in certmonger

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	certmonger
Sub Component:
Version:	---
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1700511
Blocks:	1595876
TreeView+	depends on / blocked

Reported:	2019-04-16 19:16 UTC by Pavan
Modified:	2021-01-27 13:58 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-01-27 13:59:22 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Pavan 2019-04-16 19:16:37 UTC

Description of problem:

On an undercloud SSL enabled Red Hat OpenStack platform, both certmonger local CA cert and undercloud SSL cert managed by certmonger expires in 1 year. Hence, on undercloud SSL cert renewal, the local CA cert also expires at the same time causing openstack services to become unavailable. 

The local CA does not honor changing the validity_period = 1y beyond its default value seen.

undercloud file location - '/etc/certmonger/certmonger.conf'

# This is the certmonger configuration file.  The format is a rather basic
# INI-style file.  See certmonger.conf(5) for notes about individual settings.
# · initial whitespace is ignored
# · whitespace between the key name and "=" is ignored
# · whitespace after "=" is ignored
# · trailing whitespace after values is ignored
# · comments begin with "#"
# · keys and section names are case-sensitive
# · there is no end-of-line continuation
#
# [defaults]
# notification_method = syslog
# notification_destination = daemon.notice
#
# [selfsign]
# validity_period = 1y
#
# [local]
# validity_period = 1y
#


Please add procedure for renewing a local CA in certmonger

Comment 3 Rob Crittenden 2019-05-01 19:45:06 UTC

It is not possible to renew a local CA. When the lifetime gets too low a new cert and private key are generated for the CA when half the life is gone.

Comment 4 Rob Crittenden 2020-02-17 20:26:56 UTC

certmonger is not intended to be a PKI provider in itself. The local CA is intended mostly for testing purposes, not production, as it lacks many capabilities, including CA renewal. I think we should just document not to use it in production.

Comment 5 Florence Blanc-Renaud 2020-02-27 09:44:59 UTC

Thank you taking your time and submitting this request for Red Hat Enterprise Linux 7. Unfortunately, this bug cannot be kept even as a stretch goal and was postponed to RHEL8.

Comment 10 Petr Vobornik 2021-01-27 13:59:22 UTC

This BZ has been evaluated multiple times over the last several years and we assessed that it is a valuable request to keep in the backlog and address it at some point in future. Time showed that we did not have such capacity, nor have it now nor will have in the foreseeable future. In such a situation keeping it in the backlog is misleading and setting the wrong expectation that we will be able to address it. Unfortunately we will not. To reflect this we are closing this BZ. If you disagree with the decision please reopen or open a new support case and create a new BZ. However this does not guarantee that the request will not be closed during the triage as we are currently applying much more rigor to what we actually can accomplish in the foreseeable future. Contributions and collaboration in the upstream community and CentOS Stream is always welcome!
Thank you for understanding
Red Hat Enterprise Linux Identity Management Team

Note You need to log in before you can comment on or make changes to this bug.