1760365 – Clone CA Server Cert not replicating complete inserted SAN in its server certificate

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1760365 - Clone CA Server Cert not replicating complete inserted SAN in its server certificate

Summary: Clone CA Server Cert not replicating complete inserted SAN in its server cert...

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	RHCS Maintainers
QA Contact:	PKI QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-10 11:51 UTC by Pritam Singh
Modified:	2020-10-04 21:47 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-15 19:44:45 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
rootCA_debug_log (9.29 KB, text/plain) 2019-10-10 11:51 UTC, Pritam Singh	no flags	Details
rootCA_caInternalAuthServerCert_profile (8.10 KB, text/plain) 2019-10-10 11:53 UTC, Pritam Singh	no flags	Details
rootCA_rsaServerCert_profile (2.81 KB, text/plain) 2019-10-10 11:55 UTC, Pritam Singh	no flags	Details
rootCA_servercert_with_SAN_extension (4.16 KB, text/plain) 2019-10-10 11:55 UTC, Pritam Singh	no flags	Details
cloneCA_servercert_with_4_SAN (4.16 KB, text/plain) 2019-10-10 11:56 UTC, Pritam Singh	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Fedora Pagure	dogtagpki issue 3145	0	None	None	None	2020-03-15 19:44:44 UTC
Github	dogtagpki pki issues 3262	0	None	open	Clone CA Server Cert not replicating complete inserted SAN in its server certificate	2021-01-31 15:35:50 UTC

Description Pritam Singh 2019-10-10 11:51:28 UTC

Created attachment 1624294 [details]
rootCA_debug_log

Description of problem:
Clone CA Server Cert not reflecting complete inserted SAN in its server cert which is clone of RootCA has 5 SAN in server certificate and only showing 4 SAN in clone ssl server certificate.

Version-Release number of selected component (if applicable):
pki-ca-10.5.16-5.el7_7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Make SAN changes in /usr/share/pki/ca/conf/rsaServerCert.profile
1.1 Add 8 in list=2,4,5,6,7,8
1.2 Add below SAN params in 8th Section:

8.default.class=com.netscape.cms.profile.def.SubjectAltNameExtDefault
8.default.name=Subject Alternative Name Defaults
8.default.params.subjAltNameExtCritical=true
8.default.params.subjAltNameNumGNs=5
8.default.params.subjAltExtGNEnable_0=true
8.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$
8.default.params.subjAltExtType_0=DNSName
8.default.params.subjAltExtGNEnable_1=true
8.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$
8.default.params.subjAltExtType_1=DNSName
8.default.params.subjAltExtGNEnable_2=true
8.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$
8.default.params.subjAltExtType_2=DNSName
8.default.params.subjAltExtGNEnable_3=true
8.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$
8.default.params.subjAltExtType_3=DNSName
8.default.params.subjAltExtGNEnable_4=true
8.default.params.subjAltExtPattern_4=$request.req_san_pattern_4$
8.default.params.subjAltExtType_4=DNSName

2. Make changes in /usr/share/pki/ca/profiles/ca/caInternalAuthServerCert.cfg
2.1 input.list=i1,i2,i3
2.2 policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9
2.3 Add below SAN params in 9th section:

policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
policyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$
policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=true
policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$
policyset.serverCertSet.9.default.params.subjAltExtType_1=DNSName
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_2=true
policyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$
policyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_3=true
policyset.serverCertSet.9.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$
policyset.serverCertSet.9.default.params.subjAltExtType_3=DNSName
policyset.serverCertSet.9.default.params.subjAltExtGNEnable_4=true
policyset.serverCertSet.9.default.params.subjAltExtPattern_4=$request.req_san_pattern_4$
policyset.serverCertSet.9.default.params.subjAltExtType_4=DNSName
policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
policyset.serverCertSet.9.default.params.subjAltNameNumGNs=5

3.Install RootCA with SAN
# cat ca.cfg
[DEFAULT]
pki_instance_name = topology-02-CA
pki_https_port = 20443
pki_http_port = 20080

pki_token_password = SECret.123
pki_admin_password = SECret.123
pki_admin_key_type=rsa
pki_admin_key_size=2048
pki_admin_key_algorithm=SHA512withRSA

pki_hostname = pki1.example.com
pki_security_domain_name = topology-02_Foobarmaster.org
pki_security_domain_password = SECret.123
pki_security_domain_https_port=20443
pki_client_dir = /opt/topology-02-CA
pki_client_pkcs12_password = SECret.123
pki_backup_keys = True
pki_backup_password = SECret.123
pki_ds_password = SECret.123
pki_ds_ldap_port = 389
pki_san_inject=True
pki_san_for_server_cert=pki1.example.com,redacted_serverb,redacted_serverb.domain,redacted_servera,redacted_servera.domain
pki_sslserver_key_algorithm=SHA512withRSA
pki_sslserver_key_size=2048
pki_sslserver_key_type=rsa
pki_subsystem_key_type=rsa
pki_subsystem_key_size=2048
pki_subsystem_key_algorithm=SHA512withRSA
pki_audit_signing_key_algorithm=SHA512withRSA
pki_audit_signing_key_size=2048
pki_audit_signing_key_type=rsa
pki_audit_signing_signing_algorithm=SHA512withRSA

[Tomcat]
pki_ajp_port = 20009
pki_tomcat_server_port = 20005

[CA]
pki_import_admin_cert = False
pki_ds_hostname = pki1.example.com
pki_admin_nickname = PKI CA Administrator for Example.Org
pki_ca_signing_key_algorithm=SHA512withRSA
pki_ca_signing_key_size=2048
pki_ca_signing_key_type=rsa
pki_ca_signing_signing_algorithm=SHA512withRSA
pki_ocsp_signing_key_algorithm=SHA512withRSA
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_signing_algorithm=SHA512withRSA

# pkispawn -s CA -f ca.cfg -vv

4. Installation should be successful with SAN extension in RootCA ssl server cert.

# certutil -L -d /var/lib/pki/topology-02-CA/alias/ -n "Server-Cert cert-topology-02-CA"

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
        Issuer: "CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Fo
            obarmaster.org"
        Validity:
            Not Before: Wed Oct 09 12:54:37 2019
            Not After : Tue Sep 28 12:54:37 2021
        Subject: "CN=pki1.example.com,OU=topology-02-CA,O=topology-02_Foobarm
            aster.org"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    ba:30:7f:4a:fe:6a:88:f2:8b:90:76:f0:52:f7:07:04:
                    2b:b9:a7:4c:85:19:ae:8e:e2:9d:43:42:4b:6c:90:d9:
                    bc:8c:de:77:7b:95:e8:f3:e3:9b:38:35:42:ca:5c:b5:
                    ca:77:43:cc:1d:3b:b4:bc:ea:3a:9f:6f:56:0a:8d:a6:
                    8d:02:e8:61:8c:eb:ae:68:67:2b:41:14:be:2f:cb:00:
                    98:49:2b:e8:59:f0:4b:a2:d1:17:76:cf:d7:e7:d9:3d:
                    50:d8:8a:f1:e8:2b:d6:33:59:ef:5c:ce:5e:ed:ca:ba:
                    99:26:34:46:b5:e2:ea:ee:13:7f:b8:07:ea:f6:50:ca:
                    ee:f2:af:81:73:e1:52:32:cd:00:f8:c3:e5:20:31:0a:
                    4b:05:f6:9f:ad:75:7c:4a:68:e6:8f:f9:ec:71:9b:bb:
                    b7:90:94:e7:07:dd:96:3c:32:9d:cd:76:38:20:2f:df:
                    4c:f6:a8:33:f1:6f:fe:07:ed:f8:79:0e:31:83:40:25:
                    84:5a:97:84:39:85:5a:dd:38:36:2a:bc:f4:5f:be:34:
                    1b:49:aa:df:5b:55:c2:1e:00:e3:aa:e0:d8:7c:0e:6e:
                    41:72:57:32:5c:e1:a0:df:10:63:93:35:46:61:27:90:
                    5d:6f:9c:47:46:b4:e6:72:d5:66:c2:70:3c:8e:86:d5
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                82:d7:27:7c:3d:bf:57:71:57:9a:e1:b7:4f:2b:d4:64:
                28:aa:f2:79

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location:
                URI: "http://pki1.example.com:20080/ca/ocsp"

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Key Encipherment
                    Data Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate

            Name: Certificate Subject Alt Name
            Critical: True
            DNS name: "pki1.example.com"
            DNS name: "redacted_serverb"
            DNS name: "redacted_serverb.domain"
            DNS name: "redacted_servera"
            DNS name: "redacted_servera.domain"

5.Execute ca-clone-prepare and get p12 file then copy it to clone machine
# pki-server ca-clone-prepare -i topology-02-CA --pkcs12-file /tmp/caclone.p12 --pkcs12-password SECret.123
-----------------------------------------------------
Added certificate "subsystemCert cert-topology-02-CA"
-----------------------------------------------------
--------------------------------------------------------
Added certificate "caSigningCert cert-topology-02-CA CA"
--------------------------------------------------------
----------------------------------------------------------
Added certificate "ocspSigningCert cert-topology-02-CA CA"
----------------------------------------------------------
-----------------------------------------------------------
Added certificate "auditSigningCert cert-topology-02-CA CA"
-----------------------------------------------------------

6.Install clone with same SAN changes as in Master:
# cat clone.cfg
[DEFAULT]
pki_instance_name = topology-02-CA-clone
pki_https_port = 22080
pki_http_port = 22443

pki_token_password = SECret.123
pki_admin_password = SECret.123

pki_hostname = pki2.example.com
pki_security_domain_hostname = pki1.example.com
pki_security_domain_password = SECret.123
pki_security_domain_https_port = 20443
pki_security_domain_post_login_sleep_seconds=5
pki_security_domain_name=topology-02_Foobarmaster.org
pki_client_dir = /opt/topology-02-CA-clone
pki_client_pkcs12_password = SECret.123
pki_client_database_password = SECret.123

pki_ds_password = SECret.123
pki_ds_ldap_port = 3389
pki_san_inject=True
pki_san_for_server_cert=pki1.example.com,redacted_serverb,redacted_serverb.domain,
redacted_servera,redacted_servera.domain

[Tomcat]
pki_ajp_port = 22009
pki_tomcat_server_port = 22005

[CA]
pki_clone=True
pki_clone_pkcs12_password=SECret.123
pki_clone_pkcs12_path=/tmp/caclone.p12
pki_import_admin_cert = False
pki_admin_nickname= ca_clone
pki_ds_hostname = pki2.example.com
pki_ds_base_dn=o=topology-02-CA-CA
pki_ds_database=ca-clone

pki_clone_replication_master_port=389
pki_clone_replication_clone_port=3389
pki_clone_replicate_schema=True
pki_clone_uri=https://pki1.example.com:20443

pki_ca_signing_nickname=caSigningCert cert-topology-02-CA CA
pki_ocsp_signing_nickname=ocspSigningCert cert-topology-02-CA CA
pki_audit_signing_nickname=auditSigningCert cert-topology-02-CA CA
pki_subsystem_nickname=subsystemCert cert-topology-02-CA

# pkispawn -s CA -f clone.cfg -vv

7.Installation happend successfully with reflected SAN in its server cert.

[root@pki2 ~]# certutil -L -d /var/lib/pki/topology-02-CA-clone/alias/ -n "Server-Cert cert-topology-02-CA-clone"
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 8 (0x8)
        Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
        Issuer: "CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Fo
            obarmaster.org"
        Validity:
            Not Before: Wed Oct 09 13:01:40 2019
            Not After : Tue Sep 28 13:01:40 2021
        Subject: "CN=pki2.example.com,OU=topology-02-CA-clone,O=topology-02_F
            oobarmaster.org"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    d8:3c:67:43:a3:d9:a3:d2:94:a2:97:a1:2e:b2:4f:b0:
                    70:75:57:99:38:15:64:51:1f:54:1e:df:c1:96:ec:f9:
                    01:37:92:e7:69:28:09:44:e3:d2:22:69:d1:cd:36:d5:
                    90:70:e0:04:e3:ed:d8:32:43:ed:68:23:14:ca:5a:74:
                    ae:3d:67:95:12:4c:45:e8:e1:7e:85:71:ef:23:5c:34:
                    d1:4e:ce:4e:02:b4:63:c4:21:f4:b2:c0:16:cb:df:c7:
                    4e:fb:92:a1:6a:5f:d7:fc:39:86:0e:ff:97:5a:c7:65:
                    ce:90:a4:d2:39:12:54:b9:a4:6e:dd:95:dc:a9:79:10:
                    44:27:04:25:8a:33:f7:63:1c:ba:b1:9a:7d:0a:0b:62:
                    bf:17:aa:61:62:46:f6:b3:6a:b1:22:52:c9:3e:c9:88:
                    d1:97:23:9e:26:5e:d6:f4:f8:be:f9:24:c6:e7:f4:63:
                    a7:d8:46:79:6a:1a:3e:88:94:b6:f8:10:2e:c5:76:ef:
                    a4:d8:a8:74:15:90:81:7a:83:69:a6:66:a1:f8:85:36:
                    1b:05:bf:5f:d2:3c:a5:72:b1:22:51:eb:0f:f6:f9:ea:
                    7c:f4:eb:e0:9e:94:f3:21:62:a0:ea:e3:fe:3a:c6:63:
                    58:df:c6:46:80:05:0f:7c:ed:81:2e:0b:ed:4b:49:51
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Authority Key Identifier
            Key ID:
                82:d7:27:7c:3d:bf:57:71:57:9a:e1:b7:4f:2b:d4:64:
                28:aa:f2:79

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location:
                URI: "http://pki1.example.com:20080/ca/ocsp"

            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Key Encipherment
                    Data Encipherment

            Name: Extended Key Usage
                TLS Web Server Authentication Certificate
                TLS Web Client Authentication Certificate

            Name: Certificate Subject Alt Name
            DNS name: "pki1.example.com"
            DNS name: "redacted_serverb"
            DNS name: "redacted_serverb.domain"
            DNS name: "redacted_servera"

Actual results:

Seen that RootCA server cert has 5 DNS name entry in its SAN and cloning with SAN extension is successful but clone CA's SSL server certificate is issued with 4 DNS name entry in its SAN extension.

Expected results:
It should result in replication of 5 DNS name entry in clone CA server cert as per the injected SAN.

Proof of concept:
Please find the RootCA debug log and profiles config attached.

Additional info:

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1743122#c16

Comment 2 Pritam Singh 2019-10-10 11:53:05 UTC

Created attachment 1624295 [details]
rootCA_caInternalAuthServerCert_profile

Comment 3 Pritam Singh 2019-10-10 11:55:08 UTC

Created attachment 1624296 [details]
rootCA_rsaServerCert_profile

Comment 4 Pritam Singh 2019-10-10 11:55:53 UTC

Created attachment 1624297 [details]
rootCA_servercert_with_SAN_extension

Comment 5 Pritam Singh 2019-10-10 11:56:56 UTC

Created attachment 1624298 [details]
cloneCA_servercert_with_4_SAN

Note You need to log in before you can comment on or make changes to this bug.