Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1992337

Summary: Double issuance of non-CA subsystem certs at installation
Product: Red Hat Enterprise Linux 8 Reporter: Christina Fu <cfu>
Component: pki-coreAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: PKI QE <bugzilla-pkiqe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.5CC: aakkiang, cdorney, dpunia, edewata, mharmsen
Target Milestone: betaKeywords: Triaged
Target Release: 8.5Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.6-8050020210812105402.01d2cef5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 18:39:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
double-issuance at pkispawn none

Description Christina Fu 2021-08-10 22:20:53 UTC 
Created attachment 1812899 [details]
double-issuance at pkispawn

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
yes

Steps to Reproduce:
1.install shared instances of CA/KRA (or more, such as TKS/TPS or OCSP).
2 Go to CA agent or ee web ui and list certs
3 Notice other than CA, all subsystem certs are doubly issued.  What's more, both certs have the same content, including public key.  Only difference is the serial number and sig.

Actual results:
two certs each; same public key

Expected results:
should just be one cert each

Additional info:
Comment 1 Christina Fu 2021-08-10 22:25:37 UTC 
btw, cli shows the same thing --- two certs each.

pki -c <your passwd> -d . -n "<your admin cert>" ca-cert-find
...
<skipping over CA certs, which look fine>
...
  Serial Number: 0x7
  Subject DN: CN=DRM Transport Certificate,OU=pki-tomcat,O=sjc.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=sjc.redhat.com Security Domain
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Tue Aug 10 11:18:29 PDT 2021
  Not Valid After: Mon Jul 31 11:18:29 PDT 2023
  Issued On: Tue Aug 10 11:18:29 PDT 2021
  Issued By: caadmin

  Serial Number: 0x8
  Subject DN: CN=DRM Transport Certificate,OU=pki-tomcat,O=sjc.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=sjc.redhat.com Security Domain
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Tue Aug 10 11:18:29 PDT 2021
  Not Valid After: Mon Jul 31 11:18:29 PDT 2023
  Issued On: Tue Aug 10 11:18:29 PDT 2021
  Issued By: caadmin

  Serial Number: 0x9
  Subject DN: CN=DRM Storage Certificate,OU=pki-tomcat,O=sjc.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=sjc.redhat.com Security Domain
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Tue Aug 10 11:18:30 PDT 2021
  Not Valid After: Mon Jul 31 11:18:30 PDT 2023
  Issued On: Tue Aug 10 11:18:30 PDT 2021
  Issued By: caadmin

  Serial Number: 0xa
  Subject DN: CN=DRM Storage Certificate,OU=pki-tomcat,O=sjc.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=sjc.redhat.com Security Domain
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Tue Aug 10 11:18:30 PDT 2021
  Not Valid After: Mon Jul 31 11:18:30 PDT 2023
  Issued On: Tue Aug 10 11:18:30 PDT 2021
  Issued By: caadmin

  Serial Number: 0xb
  Subject DN: CN=KRA Audit Signing Certificate,OU=pki-tomcat,O=sjc.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=sjc.redhat.com Security Domain
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Tue Aug 10 11:18:31 PDT 2021
  Not Valid After: Mon Jul 31 11:18:31 PDT 2023
  Issued On: Tue Aug 10 11:18:31 PDT 2021
  Issued By: caadmin

  Serial Number: 0xc
  Subject DN: CN=KRA Audit Signing Certificate,OU=pki-tomcat,O=sjc.redhat.com Security Domain
  Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=sjc.redhat.com Security Domain
  Status: VALID
  Type: X.509 version 3
  Key Algorithm: PKCS #1 RSA with 2048-bit key
  Not Valid Before: Tue Aug 10 11:18:31 PDT 2021
  Not Valid After: Mon Jul 31 11:18:31 PDT 2023
  Issued On: Tue Aug 10 11:18:31 PDT 2021
  Issued By: caadmin
Comment 3 Endi Sukma Dewata 2021-08-11 01:36:27 UTC 
The duplicate certs seem to be caused by the fix for bug #1976010:
https://github.com/dogtagpki/pki/commit/c0b428722a911b2fe37a79266257b31d89d2c97b

In CertProcessor.java the profile.submit() was invoked twice:

  profile.submit(authToken, req);
  profile.submit(authToken, req, explicitApprovalRequired);

If the first invocation is removed the problem seems to disappear.
Comment 4 Christina Fu 2021-08-11 16:40:15 UTC 
commit 3e25eeda64864404038a8075372f00948040689e (HEAD -> master, origin/master, origin/HEAD, Bug1990608-TPS-no-trans-CAdown-master)
Author: Christina Fu <cfu>
Date:   Wed Aug 11 09:31:25 2021 -0700

    Bug 1992337 - Double issuance of non-CA subsystem certs at installation
    
    This patch removes an extra  profile.submit() call that was accidentally
    left off during manual cherry-picking of another bug (1905374):
    commit 8e78a2b912e7c3bd015e4da1f1630d0f35145104 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
    
    fixes https://bugzilla.redhat.com/show_bug.cgi?id=1992337

=====

commit 63cf2895f5d5a37bb09f3e889b8584b0bb0dce06 (HEAD -> v10.11, origin/v10.11, Bug1971732-install-subCA-v10.11)
Author: Christina Fu <cfu>
Date:   Wed Aug 11 09:19:59 2021 -0700

    Bug 1992337 - Double issuance of non-CA subsystem certs at installation
    
    This patch removes an extra  profile.submit() call that was accidentally left
    off during manual cherry-picking of another bug (1905374):
    commit 8e78a2b912e7c3bd015e4da1f1630d0f35145104 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH)
    
    fixes https://bugzilla.redhat.com/show_bug.cgi?id=1905374
Comment 5 Christina Fu 2021-08-11 16:42:35 UTC 
Test instruction:
Install CA and KRA.
Go to agent or ee web ui and "list certs".  Should not see double certs for KRA system certs.
Comment 14 errata-xmlrpc 2021-11-09 18:39:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pki-core bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:4239