Bug 471622 - Need Renewal feature via enrollment Profile Framework
Need Renewal feature via enrollment Profile Framework
Product: Dogtag Certificate System
Classification: Community
Component: Certificate Manager (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
Depends On:
Blocks: 443788
  Show dependency treegraph
Reported: 2008-11-14 12:55 EST by Christina Fu
Modified: 2015-01-04 18:34 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-22 19:30:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
renewal feature. Phase 1. (56.28 KB, text/plain)
2008-11-14 13:16 EST, Christina Fu
no flags Details
This allows admins to set grace period for renewal (6.49 KB, text/plain)
2008-11-14 13:19 EST, Christina Fu
no flags Details
This allows serial number profile input (decimal only) (2.69 KB, text/plain)
2008-11-14 13:21 EST, Christina Fu
no flags Details
authenticaiton plugin that provides ssl client cert authenticaiton (12.49 KB, text/plain)
2008-11-14 13:23 EST, Christina Fu
no flags Details
authorization access evaluator that checks auth token against orig cert/req (uid only) (5.56 KB, text/plain)
2008-11-14 13:25 EST, Christina Fu
no flags Details
directory uid/pwd based renew enrollment profile (416 bytes, text/plain)
2008-11-14 13:41 EST, Christina Fu
no flags Details
manual renew enrollment (need to be approved by agent manually) (327 bytes, text/plain)
2008-11-14 13:42 EST, Christina Fu
no flags Details
enrollment profile that allows renew by ssl client cert (the one to be renewed) (253 bytes, text/plain)
2008-11-14 13:43 EST, Christina Fu
no flags Details
added revocation check for cert to be renewed (56.88 KB, text/plain)
2008-11-14 19:40 EST, Christina Fu
no flags Details
phase 1, more cleanup (57.06 KB, text/plain)
2008-11-14 20:36 EST, Christina Fu
no flags Details
adds "renewal" hiddle value to profile (18.85 KB, text/plain)
2008-11-18 15:18 EST, Christina Fu
no flags Details
spec files changes (3.37 KB, text/plain)
2008-11-18 15:22 EST, Christina Fu
no flags Details

  None (edit)
Description Christina Fu 2008-11-14 12:55:28 EST
Description of problem:
There is no renewal feature.  Need to be done via enrollment profile framework.
Comment 1 Christina Fu 2008-11-14 13:16:38 EST
Created attachment 323610 [details]
renewal feature.  Phase 1.

Renewal feature phase 1 diff.  New files will be attached separately.
Comment 2 Christina Fu 2008-11-14 13:19:22 EST
Created attachment 323611 [details]
This allows admins to set grace period for renewal

Comment 3 Christina Fu 2008-11-14 13:21:40 EST
Created attachment 323612 [details]
This allows serial number profile input (decimal only)

Comment 4 Christina Fu 2008-11-14 13:23:39 EST
Created attachment 323613 [details]
authenticaiton plugin that provides ssl client cert authenticaiton

Comment 5 Christina Fu 2008-11-14 13:25:28 EST
Created attachment 323614 [details]
authorization access evaluator that checks auth token against orig cert/req (uid only)

Comment 6 Christina Fu 2008-11-14 13:41:14 EST
Created attachment 323619 [details]
directory uid/pwd based renew enrollment profile

Comment 7 Christina Fu 2008-11-14 13:42:12 EST
Created attachment 323621 [details]
manual renew enrollment (need to be approved by agent manually)

Comment 8 Christina Fu 2008-11-14 13:43:35 EST
Created attachment 323623 [details]
enrollment profile that allows renew by ssl client cert (the one to be renewed)

Comment 9 Christina Fu 2008-11-14 13:52:47 EST
The attachments are for the phase 1 feature implmentation of certificate renewal.

The featue description:
* this is only designed to reuse the keys associated with the certificate to be renewed.  New keys renewal should just go through a new enrollment.
* There are three default renewal profiles come with this phase 1 implementation:
  1. caSSLClientSelfRenewal - ssl client authentication.  The client cert is the cert that is to be renewed.  This profile is only for certs that can do ssl client authentication
  2. caDirUserRenewal - directory uid/pwd based authentication.  This is usually to be used by certs that can not do ssl client authentication.
  3. caManualRenewal - manual request (taking a serial number), and manual approval by an agent.  this is usually used for server cert renewal.

There are some limitations:
* The first 5 certs of a self-sign CA are crafted during post-installation configuration can not be renewed currently.  There were created outside of the profile framework, thus require special care.
* The original profile id must exist for the renewal to be allowed.  This inadvertantly allows admin to change the profile for the new renewed cert.
* The grace period control is placed with the original profile. grace period containing negative values are considered no grace periods placed.
* The serial number currently can only take decimal numbers
* The authorization evaluator can only evaluate uid equivalence.  So, if the subjectdn does not contaion uid component or the original cert request was not authenticated via uid, then we are out of luck.  The authorization, however, is placed with the renewal profiles, so there is a choice to turn it off.
* There may be more and will be listed when come to mind.
Comment 10 Christina Fu 2008-11-14 13:53:13 EST
awnuk. please review
Comment 11 Christina Fu 2008-11-14 19:40:37 EST
Created attachment 323672 [details]
added revocation check for cert to be renewed
Comment 12 Christina Fu 2008-11-14 19:49:49 EST
adding to the list of feature description:
* the ldap based and manual renewal are also useful for ssl client certs that have expired and are not allowed to do ssl client authentication.

adding to the limitation list:
* only two default profiles (caUserCert.cfg and caDirUserCert.cfg) get the example of grace peiord constraint.  Admin should be adviced to add their own.  By default, if no grace period specified, it is treated as no constraint in that respect.
*profile id in request showing only the orig profileid (not the actual renew profile id) doesn't show "renew" status
Comment 13 Christina Fu 2008-11-14 20:36:00 EST
Created attachment 323674 [details]
phase 1, more cleanup

since Andrew has not started the review, I am sneaking in more cleanup.
Comment 14 Christina Fu 2008-11-14 20:37:25 EST
(In reply to comment #12)

> *profile id in request showing only the orig profileid (not the actual renew
> profile id) doesn't show "renew" status

The second part should read " doen'st show "renewal" for request type, instead, it shows "enrollment."  This makes it not possible to search for request type.
Comment 15 Christina Fu 2008-11-18 15:18:04 EST
Created attachment 323955 [details]
adds "renewal" hiddle value to profile

Comment 16 Christina Fu 2008-11-18 15:22:59 EST
Created attachment 323958 [details]
spec files changes

diff files for:

Comment 17 Christina Fu 2008-11-18 18:49:33 EST
[cfu@jaw src6]$ svn add pki/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java 
A         pki/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java
[cfu@jaw src6]$ svn add pki/base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java 
[cfu@jaw src6]$ svn add pki/base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java
A         pki/base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java
[cfu@jaw src6]$ svn add pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java
A         pki/base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java
[cfu@jaw src6]$ svn add pki/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java
A         pki/base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java
[cfu@jaw src6]$ svn add pki/base/ca/shared/profiles/ca/caDirUserRenewal.cfg
A         pki/base/ca/shared/profiles/ca/caDirUserRenewal.cfg
[cfu@jaw src6]$ svn add pki/base/ca/shared/profiles/ca/caManualRenewal.cfg
A         pki/base/ca/shared/profiles/ca/caManualRenewal.cfg
[cfu@jaw src6]$ svn add pki/base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg
A         pki/base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg

[cfu@jaw src6]$ cd pki
[cfu@jaw pki]$ svn status
?      linux/linux.diff
M      linux/ca/pki-ca.spec
?      linux/scripts/typescript.build_pki2
?      linux/scripts/typescript.build_pki3
?      linux/scripts/typescript.build_pki4
?      linux/scripts/typescript.build_pki5
?      linux/scripts/typescript.prepare_pki
?      linux/scripts/typescript.build_pki
M      linux/common/pki-common.spec
M      linux/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template
M      linux/ca-ui/pki-ca-ui.spec
M      base/ca/shared/profiles/ca/caDirUserCert.cfg
A      base/ca/shared/profiles/ca/caDirUserRenewal.cfg
A      base/ca/shared/profiles/ca/caManualRenewal.cfg
M      base/ca/shared/profiles/ca/caUserCert.cfg
A      base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg
M      base/ca/shared/conf/CS.cfg
M      base/ca/shared/conf/registry.cfg
M      base/common/src/UserMessages_en.properties
A      base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java
M      base/common/src/com/netscape/cms/servlet/profile/ProfileSelectServlet.java
M      base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java
M      base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
M      base/common/src/com/netscape/cms/evaluators/GroupAccessEvaluator.java
M      base/common/src/com/netscape/cms/evaluators/UserAccessEvaluator.java
A      base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java
A      base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java
M      base/common/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java
A      base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java
M      base/common/src/com/netscape/cms/profile/common/BasicProfile.java
M      base/common/src/com/netscape/cms/profile/common/EnrollProfile.java
M      base/common/src/com/netscape/cms/profile/def/SubjectNameDefault.java
M      base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
M      base/common/src/com/netscape/certsrv/profile/IProfile.java
[cfu@jaw pki]$ svn update
At revision 140.
[cfu@jaw pki]$ svn commit
Sending        base/ca/shared/conf/CS.cfg
Sending        base/ca/shared/conf/registry.cfg
Sending        base/ca/shared/profiles/ca/caDirUserCert.cfg
Adding         base/ca/shared/profiles/ca/caDirUserRenewal.cfg
Adding         base/ca/shared/profiles/ca/caManualRenewal.cfg
Adding         base/ca/shared/profiles/ca/caSSLClientSelfRenewal.cfg
Sending        base/ca/shared/profiles/ca/caUserCert.cfg
Sending        base/common/src/UserMessages_en.properties
Sending        base/common/src/com/netscape/certsrv/profile/IProfile.java
Adding         base/common/src/com/netscape/cms/authentication/SSLclientCertAuthentication.java
Sending        base/common/src/com/netscape/cms/evaluators/GroupAccessEvaluator.java
Sending        base/common/src/com/netscape/cms/evaluators/UserAccessEvaluator.java
Adding         base/common/src/com/netscape/cms/evaluators/UserOrigReqAccessEvaluator.java
Sending        base/common/src/com/netscape/cms/profile/common/BasicProfile.java
Sending        base/common/src/com/netscape/cms/profile/common/EnrollProfile.java
Adding         base/common/src/com/netscape/cms/profile/constraint/RenewGracePeriodConstraint.java
Sending        base/common/src/com/netscape/cms/profile/constraint/SubjectNameConstraint.java
Sending        base/common/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
Sending        base/common/src/com/netscape/cms/profile/def/SubjectNameDefault.java
Adding         base/common/src/com/netscape/cms/profile/input/SerialNumRenewInput.java
Sending        base/common/src/com/netscape/cms/servlet/profile/ProfileSelectServlet.java
Sending        base/common/src/com/netscape/cms/servlet/profile/ProfileServlet.java
Sending        base/common/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
Sending        linux/ca/pki-ca.spec
Sending        linux/ca-ui/pki-ca-ui.spec
Sending        linux/ca-ui/shared/webapps/ca/ee/ca/ProfileSelect.template
Sending        linux/common/pki-common.spec
Transmitting file data ...........................
Committed revision 141.
Comment 18 Andrew Wnuk 2008-11-19 14:50:23 EST
attachment (id=323611)
attachment (id=323612)
attachment (id=323613)
attachment (id=323614)
attachment (id=323619)
attachment (id=323621)
attachment (id=323623)
attachment (id=323674)
attachment (id=323958)
Comment 20 Asha Akkiangady 2009-06-14 21:16:59 EDT

Enrollment profile framework has 3 ways of renewing., self renew by user ssl client cert, ldap based self renew and manual renewal.

Note You need to log in before you can comment on or make changes to this bug.