Bug 1802006 - KRA installation failed to create ECC admin cert
Summary: KRA installation failed to create ECC admin cert
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.2
Assignee: RHCS Maintainers
QA Contact: PKI QE
Depends On:
TreeView+ depends on / blocked
Reported: 2020-02-12 06:37 UTC by shalini
Modified: 2020-04-28 15:46 UTC (History)
5 users (show)

Fixed In Version: pki-core-10.6-8020020200217060646.c7c3114f
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-04-28 15:45:20 UTC
Type: Bug
Target Upstream Version:
edewata: needinfo? (gkapoor)
skhandel: needinfo+

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1644 0 None None None 2020-04-28 15:46:04 UTC

Description shalini 2020-02-12 06:37:38 UTC
Description of problem:
KRA installation failing in ECC mode with pki_admin_key_type=ecc in conf file

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install ca in ECC mode with mentioned ecc configurations in attached ca.cfg file.
2. Try installing kra in ECC mode with mentioned ecc configurations in attached kra.cfg file.
3. Comment following parameters in kra conf file and retry installation.

Actual results:
1. CA installation success
2. KRA installation fails with following exception 
""" java.io.IOException: Unable to generate admin certificate: Request 24 Rejected - Key Type RSA Not Matched """
3. Installation success.

Expected results:
Installation in step 2 should be success, This is a regression test scenario and was functional in RHEL78

Additional info:
In step 3 : When pki_admin_key_type field is commented in kra config file. An admin cert with RSA also is generated thus installation is success.
ECC admin cert creation failed during installation in step 2. 

Attached are debug logs.

Comment 4 Endi Sukma Dewata 2020-02-12 09:15:55 UTC
Hi Christina,

You're probably more familiar with this area. I noticed that the
caAdminCert and the caECAdminCert profiles in CA's CS.cfg are pointing
to the same configuration file that contains an RSA key constraint.




policyset.adminCertSet.3.constraint.name=Key Constraint

I'm not sure how it works on RHEL 7 but on RHEL 8 the caECAdminCert
profile rejects KRA admin's ECC cert request because of this constraint.

If I change the caECAdminCert profile to use caECAdminCert.cfg instead
it will load the ECC key constraint:


policyset.adminCertSet.3.constraint.name=Key Constraint

and the KRA installation will complete successfully.
Could you take a look? Thanks.

Comment 5 Endi Sukma Dewata 2020-02-12 09:24:54 UTC
Sorry, I should have linked the files in the master (10.8) branch:

* https://github.com/dogtagpki/pki/blob/master/base/ca/shared/conf/CS.cfg#L1086-L1089
* https://github.com/dogtagpki/pki/blob/master/base/ca/shared/profiles/ca/caAdminCert.cfg#L32-L35
* https://github.com/dogtagpki/pki/blob/master/base/ca/shared/profiles/ca/caECAdminCert.cfg#L32-L35

Regardless, the above sections are identical in master and 10.5 branch.

Comment 6 Geetika Kapoor 2020-02-12 09:46:24 UTC
Endi, Christina,

I was able to install it but i need to do some tweaks in https://github.com/dogtagpki/pki/blob/DOGTAG_10_5_BRANCH/base/ca/shared/profiles/ca/caECAdminCert.cfg#L32-L35. 
I did add ECC in keytype and when i did restart it was again picking RSA. Restart was somehow not picking the changes and it was still showing RSA so changing from admin console to ECC worked and later installation also passed. I was not sure why changes in profile file and restart didn't pick the changes. Does registry needs to be refreshed or something?


Comment 7 Christina Fu 2020-02-12 22:32:09 UTC
1. Shalini, I have trouble understanding your step 2 and 3.  In step 2, you said "Try installing kra in ECC mode with mentioned ecc configurations in attached kra.cfg file.", but you didn't say what happened there.  Was it successful?  If not, what was the debug info?
  Then in step 3, you said you commented out the ec params in the kra's pkispawn file and tried again.  So here you are trying to get an RSA admin cert for an EC environment?  Is this a negative case?

2. Endi and Geetika, the profiles gets automatically switched depending on the key type:
As you can see, we did that for startup profiles;  That's what Jack and I discussed and agreed on at the time.  He implemented that.

Does that help?

Comment 8 Endi Sukma Dewata 2020-02-13 02:46:37 UTC
Christina, yes, KRA will submit a request to caAdminCert or caECAdminCert profile based
on that code. However, as shown above both of these profiles point to the same RSA profile
configuration file, so ECC request to caECAdminCert will always be rejected.

I was wondering if it's simply a typo in CS.cfg or if there's other logic that I'm not
aware of. I'm also curious how the code works in RHEL 7 since the parts shown above are
identical in RHEL 7 and 8.

Comment 9 Geetika Kapoor 2020-02-13 05:55:17 UTC
Christina it is going to right profile if ecc is slected ..No doubt on that part. Request is going to caECAdminCert profile 
But even after making keytype as ECC in caECAdminCert profile and restarting CA , it was giving Key mismatch error but as soon as i make ECC from admin console same change for caECAdminCert profile  it worked.

Comment 10 Endi Sukma Dewata 2020-02-14 04:38:34 UTC
Jack, any idea about this?

Comment 11 shalini 2020-02-14 05:41:15 UTC
Christina, As i mentioned in actual and expected output:

Step 2 is failing and expected to be success. : debug logs are also attached [ KRA failure debug log ] .
Step 3 is Success and working as expected. : This is a positive scenario. Just admin-cert in KRA installation is RSA, rest all certs are ECC. Similar scenario is mentioned in below documentation:

When I try to have an ECC admin-cert during KRA installation, There is failure with following exception [Step2] .
""" java.io.IOException: Unable to generate admin certificate: Request 24 Rejected - Key Type RSA Not Matched """

Comment 12 Endi Sukma Dewata 2020-02-16 15:31:29 UTC
The code has been updated upstream:
* master (10.8) branch: https://github.com/dogtagpki/pki/commit/84c039e9d93794df118e926c24aacf1da8fd166e
* 10.5 branch: https://github.com/dogtagpki/pki/commit/848946c07b4d67e27cfd8128bc7409e0db9983cd

Comment 14 Endi Sukma Dewata 2020-02-17 08:55:41 UTC
I have added the RHEL 8 build into the errata.

Please note that there are 2 options for the admin cert during KRA installation:
1. Import an existing admin cert (pki_import_admin_cert=True). This is the default.
2. Request a new admin cert from the CA (pki_import_admin_cert=False)

The first scenario seems to be working fine, but the second scenario
is failing with ECC key type due to the incorrect path explained above.

Here's a sample deployment configuration to test scenario #2:




Comment 18 shalini 2020-03-17 15:11:23 UTC
KRA installation worked with ECC admin cert. Following is the build on which testing is performed:



Marking this bugzilla verified.

Comment 20 errata-xmlrpc 2020-04-28 15:45:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.