Description of problem: It would be good to have the following options in certificate management: 1. Import of a certificate using copy-paste of base64 encoded cert or uploading from the file system. Currently it only allows to import from the existing file on a server filesystem. 2. Export of CA or Server cert. Currently there is no way to export them from the Console. Version-Release number of selected component (if applicable): cockpit-389-ds-1.4.1.8-1.module+el8dsrv+4209+f45880df.noarch How reproducible: always Steps to Reproduce: 1. Go to Security -> Certificate management 2. Try to import or export CA/server certs. 3.
Upstream ticket: https://github.com/389ds/389-ds-base/issues/5624
Builds tested: 389-ds-base-2.2.7-2.module+el9dsrv+18726+78959e84.x86_64 cockpit-389-ds-2.2.7-2.module+el9dsrv+18726+78959e84.noarch 1. When a certificate is imported, certName input field doesn't validate input data. It also doesn't escape spaces, so for example a cert with the name "My Cert" fails to be imported: CMD: addCert: Adding cert (tmp): ==> dsconf -j ldapi://%2fvar%2frun%2fslapd-localhost.socket security certificate add --name=My Cert --file=/etc/dirsrv/slapd-localhost/My Cert.tmp And it puts part of the name in the cert itself: # cat /etc/dirsrv/slapd-localhost/My -----BEGIN CERTIFICATE----- MIIDZTCCAk2gAwIBAgIUfggPjqOXWZuhMzaqX0VAOARIiGEwDQYJKoZIhvcNAQEL BQAwQjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE CgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yMzA1MDkwNzM0NTFaFw0yNDA1MDgw NzM0NTFaMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAa BgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDHlPlFNIRErlt6GwRLtGIO6HDGEu4OzuRbfO0ZjuzcLXgUtgAJ QtYjO9PmQYjDi43eqRuMcB2qwHgrm9PstQaHpSVakIH0BLwrqCz2A7CeQKy2F0Ne yk7gGffpwOte5PKJpZpmeEq3Xmxqg9RXZxMbo6wsyR08Uozpjd6NJgjF40t5B3N2 9bMExJMTYxHRpZTaPVcqiSS2dZlN+I3uUGt9ivnBcGopUheHzlngCUh4e6ep/RRA DV/PWg9rUfQFLgHruZpqra9t6Wkq+0YN2Pano941oEN5djkcLJV6fswaxOfqKgiY ne+z4O5Vic8DxMvYbvZqSUjfefCgP6LEHcfNAgMBAAGjUzBRMB0GA1UdDgQWBBRy 1IsDkeOQlTl++xwtMdKP7EvnSTAfBgNVHSMEGDAWgBRy1IsDkeOQlTl++xwtMdKP 7EvnSTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCl4Yi6jy0+ X3EQfC/ASgCZqyes3Bv2b3YYXNMl1I0UA16lYyar/HPEclmiJT6nkCMv5B3enyPy menzUJ3XbOdSe+sj+oeO4x9ico7iceQ7ciXynrA+prgP3Lb7MUABlO3gTwdSaNgr qR5VXV1DQh1qv17b6cuduQu9W6H9mSnXUZ0y6eIDJNXdqwkaDqUZ3ZxSjxaMg2b3 ABws/f7k78ntAgtIiIyn6u1Y0DwVhJv+zYMyXHoMAtd3VBOSMglmyRQ0xtbu8FRX RSeS7DlpQnMmIhmr+jJIUmtHWJvj9X1EON+vv2n8YMXSMHYLoC+Hjsfxaf8AAztv gtdFDztGnVFH -----END CERTIFICATE----- Cert.tmp 2. Importing a CA certificate bundle, where one of the certificate is missing key usage (see https://bugzilla.redhat.com/show_bug.cgi?id=1878808#c22) is reported as successful, error about missing key usage is not displayed. 3. Clear button is applied to "Certificate text" text field, not "Upload local PEM file", but is located near the latter. 4. Some usability suggestions: 4.1 I think we can drop "Local" in "Upload Local PEM File" label, as it is a bit confusing. 4.2 I suggest to set "Upload PEM File" as a first option, as it's most likely will be the most used option. Options 1 and 2 suggest user already has certificates on server, it's one step away from running dsconf there anyway. 4.3 Options "Certificate text" and "Upload Local PEM File" are almost the same, I think we should leave one that allows pasting the text and upload the file (which pastes the text from file into the input field anyway). I'm moving this to ASSIGNED.
Hi Mark! Could you please review the RN text in the DocText field? Thanks you, Evgenia
(In reply to Evgenia Martynyuk from comment #6) > Hi Mark! > > Could you please review the RN text in the DocText field? > > Thanks you, > Evgenia Looks good
Builds tested: 389-ds-base-2.2.7-3.module+el9dsrv+18864+4949f8c5.x86_64 cockpit-389-ds-2.2.7-3.module+el9dsrv+18864+4949f8c5.noarch 1. Certificate name is now sanitized. 2. Uploading CA bundle doesn't work. The same bundle can be added using dsconf successfully. Since it doesn't say anywhere about bundles in the UI, and it works with uploading a single certificate, I'll open a separate bug for supporting certificate bundles in the UI. 3. "Clear" button works as expected. 4. New form is much cleaner and easier to use, thank you Mark for applying my suggestions! Marking as VERIFIED.
Thanks, Fillip! Comments were applied. RN is release pending
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (redhat-ds:12 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:3344