Bug 2196889 - Implement ServerSide KeyGen Password Complexity Checks for pkcs12
Summary: Implement ServerSide KeyGen Password Complexity Checks for pkcs12
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Certificate System
Classification: Red Hat
Component: pki-core
Version: 11.1
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
: certsys-10.8
Assignee: Marco Fargetta
QA Contact: idm-cs-qe-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-05-10 16:53 UTC by Chris Zinda
Modified: 2025-06-16 19:05 UTC (History)
6 users (show)

Fixed In Version: redhat-pki-10-8100020250213180344.f9354743
Doc Type: Enhancement
Doc Text:
Feature: Provide a password policy to enforce the password quality defined by the user during the enrolment with server side key generation. Reason: Required by customers to increase the security of exchanged PKCS12 with generated certificate and key. Result: The new policy is like: policyset.userCertSet.11.constraint.class_id=p12ExportPasswordConstraintImpl policyset.userCertSet.11.constraint.name=PKCS12 Password Constraint policyset.userCertSet.11.constraint.params.password.minSize=20 policyset.userCertSet.11.constraint.params.password.minUpperLetter=2 policyset.userCertSet.11.constraint.params.password.minLowerLetter=2 policyset.userCertSet.11.constraint.params.password.minNumber=2 policyset.userCertSet.11.constraint.params.password.minSpecialChar=2 policyset.userCertSet.11.constraint.params.password.seqLength=4 policyset.userCertSet.11.constraint.params.password.maxRepeatedChar=4 policyset.userCertSet.11.constraint.params.password.cracklibCheck=true policyset.userCertSet.11.default.class_id=noDefaultImpl policyset.userCertSet.11.default.name=No Default Default params can be configure in CS.cfg for all the password checks (using the prefix passwordChecker.*) and as default it has only the min size to 8.
Clone Of:
Environment:
Last Closed: 2025-03-31 13:36:04 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2025:3401 0 None None None 2025-03-31 13:36:06 UTC

Description Chris Zinda 2023-05-10 16:53:14 UTC 
Description of problem:
Currently, the Red Hat SSKG via the serverKeygenInputImpl and the pkcs12OutputImpl allow for any password to be used for the generated p12 files.  Would like the ability to have a configurable option to force/enforce password complexity requirements for a user-provided password, or the ability to have a strong password generated and provided to the user upon submission to improve the security of the p12s with strong passwords.


Version-Release number of selected component (if applicable):
RHEL 8.x

How reproducible:
Very

Steps to Reproduce:
1. Configure SSKG - https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/planning_installation_and_deployment_guide/configuration_for_server-side_keygen
2. Test with a password of 1234

Actual results:
Allows pkcs12 to be created with weakened password

Expected results:
Desire a check for password comlpexity

Additional info:
Comment 1 Ding-Yi Chen 2023-05-14 23:48:32 UTC 
The bug is related to RHCS, thus product is set to Red Hat Certificate System
Comment 13 errata-xmlrpc 2025-03-31 13:36:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (CA bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2025:3401
Note You need to log in before you can comment on or make changes to this bug.