Bug 441889 - use of certutil in admin guide contains errors and problems.
use of certutil in admin guide contains errors and problems.
Status: CLOSED CURRENTRELEASE
Product: Red Hat Directory Server
Classification: Red Hat
Component: Doc - administration-guide (Show other bugs)
7.1
All Linux
medium Severity low
: ---
: ---
Assigned To: Deon Ballard
Chandrasekar Kannan
: Documentation
Depends On:
Blocks: 249650
  Show dependency treegraph
 
Reported: 2008-04-10 13:27 EDT by Bob Relyea
Modified: 2015-01-04 18:31 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-01 18:24:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Edited 7.1 HTML files (132.43 KB, text/html)
2008-05-08 19:40 EDT, Deon Ballard
no flags Details
7.1 SSL chapter (92.82 KB, text/html)
2008-05-27 20:14 EDT, Deon Ballard
no flags Details

  None (edit)
Description Bob Relyea 2008-04-10 13:27:01 EDT
Description of problem:

http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158

Contains a description on how to generate some certificates, but it has a number
of issues. Nelson points them out below:


beyonddc wrote, On 2008-04-09 09:43:
> > Hi group,
> > 
> > I have some question about certutil.
> > 
> > When you create an individual certificate and add it to a certificate
> > database with the "-S" command, does it also generate key pair for
> > you?

Yes.

> > I'm following the instruction in "Red Hat Directory Server 7.1
> > Administrator Guide" to use certutil to create a self-sign
> > certificate.
> > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1087158

Ugh!  That section needs to be rewritten, IMO.
Among its problems:
- shows the generation of a "noise" file with little or no entropy.
- reuses that noise file in the generation of multiple keys.
- doesn't explain what to do with the generated CA cert
- doesn't explain that this is for testing only, not for production use.

> > I got very confused in step 5 in the "Using certutil" section in the
> > "RH DS 7.1 Admin Guide" about generating standalone key pair with the
> > "-G" command and then it seems like it is not using it at all
> > afterward because the manual then go on and explain using the "-S"
> > command to create and add self-signed and server certificates.

Yeah, step 5 is a no-op.

> > I just want to have a second eyes to look at the few steps documented
> > in the "RH DS 7.1 Admin Guide" to confirm what I said is correct that
> > step 5 in the "Using certutil" section to generate a key pair with the
> > "-G" command is not necessary.

Right.

Suggestions:

1. Don't use vi (or any text editor) to generate a noise file.
Instead use
> >  dd bs=256 count=1 if=/dev/urandom of=noise

Note: it's not a text file, so drop the .txt suffix

2. Don't re-use noise files.  Run that dd command immediately before each
and every command (such as certutil) that uses the noise file as an input,
to get a fresh noise file.  And rm that file right after it is used once.

3. Export that CA cert (without the private key) to a file, so that it
can be imported into clients who will then trust it as a CA for issuing
SSL server certs.
> >  certutil -L -d . -n "CA certificate" -a -o /tmp/rootcert.pem

4. Import that CA cert into the client and trust it to issue SSL server
certs.  The exact method depends on the client.  For NSS-based clients
it would be something like:

> >  certutil -A -d client-dir -n "CA certificate" -a -t C,, -i /tmp/rootcert.pem

/Nelson
Comment 3 Deon Ballard 2008-05-08 18:06:26 EDT
With the exception of the file and directory locations, can the same procedure
be used for 7.1 as I have in comment #2?
Comment 5 Rich Megginson 2008-05-08 20:57:17 EDT
comment #2
2. get rid of the tmp stuff - use this instead:
"Make a copy of all files in this directory in a safe location e.g. tar cf
/tmp/backup.tar * - in case something goes wrong, you can restore from the backup"
3. pwdfile is not used for key db at server startup - that's what pin.txt is
for.  pwdfile is only used when generating new certs/keys.  Note that both
pwdfile and pin.txt contain the same password (by default) but those two files
have different formats - they cannot be interchanged.
6. should be "Server certificates for other servers" instead of "Server
certificates to for other servers"
Comment 6 Deon Ballard 2008-05-27 20:14:43 EDT
Created attachment 306859 [details]
7.1 SSL chapter

Comment #5: Done for 8.0+. Docbot link:
http://engineering.redhat.com/docbot/en-US/Red_Hat_Directory_Server/8.0/html/Administration_Guide/Managing_SSL-Using_certutil.html


For 7.1, I went back to my 7.1 Frame files, applied some lost bug fixes since
then, and then put in the edits. I can't post it on DocBot (Frame v XML
differences and whatnot), but I've attached the HTML output.
Comment 7 Deon Ballard 2009-02-04 18:26:11 EST
This is live for 7.1 and 8.0 and the changes have been applied to 8.1. I'm changing the status to modified.
Comment 8 Deon Ballard 2009-05-01 18:24:20 EDT
These changes are live in the 8.1 docs at http://www.redhat.com/docs/manuals/dir-server/8.1. Closing.

Note You need to log in before you can comment on or make changes to this bug.