Steps that I used to reproduce: - yum install pki-ca - configure the ca instance. Get the default admin/agent cert. - this user is called 'admin' - request/issue a couple of certs. ProfileReview page when approving the cert says "Approved By: admin" which is correct. - goto pkiconsole, add a new user : ckannan . Add user to group "Certificate Manager Agents" - goto the ca ee page and request a cert for ckannan. Approve it. - Import certificate via pkiconsole for 'ckannan'. - open another tab and request a new test cert. - relaunch browser and authenticate to the CA agent page with 'ckannan' cert. - try to approve this cert. Profile Review page , shows "approved by: admin". Seems like admin is hard coded which is not the expected behaviour. Should show other agents name such as Approved by : ckannan.
[08/Jun/2009:13:05:38][http-9443-Processor16]: CMSServlet:service() uri = /ca/agent/ca/listRequests.html [08/Jun/2009:13:05:38][http-9443-Processor16]: CMSServlet: caListRequests start to service. [08/Jun/2009:13:05:38][http-9443-Processor16]: DisplayHtmlServlet about to service [08/Jun/2009:13:05:38][http-9443-Processor16]: IP: 10.14.52.236 [08/Jun/2009:13:05:38][http-9443-Processor16]: AuthMgrName: certUserDBAuthMgr [08/Jun/2009:13:05:38][http-9443-Processor16]: CMSServlet: retrieving SSL certificate [08/Jun/2009:13:05:38][http-9443-Processor16]: CMSServlet: certUID=UID=ckannan,E=ckannan,CN=Chandrasekar Kannan,O=Red Hat,C=US [08/Jun/2009:13:05:38][http-9443-Processor16]: CertUserDBAuth: started [08/Jun/2009:13:05:38][http-9443-Processor16]: CertUserDBAuth: Retrieving client certificate [08/Jun/2009:13:05:38][http-9443-Processor16]: CertUserDBAuth: Got client certificate [08/Jun/2009:13:05:38][http-9443-Processor16]: Authentication: client certificate found [08/Jun/2009:13:05:38][http-9443-Processor16]: getConn: mNumConns now 14 [08/Jun/2009:13:05:38][http-9443-Processor16]: returnConn: mNumConns now 15 [08/Jun/2009:13:05:38][http-9443-Processor16]: Authentication: mapped certificate to user [08/Jun/2009:13:05:38][http-9443-Processor16]: authenticated uid=ckannan,ou=People,dc=sigma.dsdev.sjc.redhat.com-pki-ca [08/Jun/2009:13:05:38][http-9443-Processor16]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=ckannan][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success [08/Jun/2009:13:05:38][http-9443-Processor16]: CMSServlet: curDate=Mon Jun 08 13:05:38 PDT 2009 id=caListRequests time=2 ------------- [08/Jun/2009:13:06:48][http-9443-Processor8]: CMSServlet: curDate=Mon Jun 08 13:06:48 PDT 2009 id=caqueryReq time=22 [08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet:service() uri = /ca/agent/ca/profileReview [08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet::service() param name='requestId' value='79980' [08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet: caProfileReview start to service. [08/Jun/2009:13:06:50][http-9443-Processor14]: ProfileReviewServlet: start serving [08/Jun/2009:13:06:50][http-9443-Processor14]: IP: 10.14.52.236 [08/Jun/2009:13:06:50][http-9443-Processor14]: AuthMgrName: certUserDBAuthMgr [08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet: retrieving SSL certificate [08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet: certUID=UID=ckannan,E=ckannan,CN=Chandrasekar Kannan,O=Red Hat,C=US [08/Jun/2009:13:06:50][http-9443-Processor14]: CertUserDBAuth: started [08/Jun/2009:13:06:50][http-9443-Processor14]: CertUserDBAuth: Retrieving client certificate [08/Jun/2009:13:06:50][http-9443-Processor14]: CertUserDBAuth: Got client certificate [08/Jun/2009:13:06:50][http-9443-Processor14]: Authentication: client certificate found [08/Jun/2009:13:06:50][http-9443-Processor14]: getConn: mNumConns now 14 [08/Jun/2009:13:06:50][http-9443-Processor14]: returnConn: mNumConns now 15 [08/Jun/2009:13:06:50][http-9443-Processor14]: Authentication: mapped certificate to user [08/Jun/2009:13:06:50][http-9443-Processor14]: authenticated uid=ckannan,ou=People,dc=sigma.dsdev.sjc.redhat.com-pki-ca [08/Jun/2009:13:06:50][http-9443-Processor14]: SignedAuditEventFactory: create() message=[AuditEvent=AUTH_SUCCESS][SubjectID=ckannan][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success [08/Jun/2009:13:06:50][http-9443-Processor14]: checkACLS(): ACLEntry expressions= group="Certificate Manager Agents" [08/Jun/2009:13:06:50][http-9443-Processor14]: evaluating expressions: group="Certificate Manager Agents" [08/Jun/2009:13:06:50][http-9443-Processor14]: getConn: mNumConns now 14 [08/Jun/2009:13:06:50][http-9443-Processor14]: returnConn: mNumConns now 15 [08/Jun/2009:13:06:50][http-9443-Processor14]: UGSubsystem.isMemberOf() using new lookup code [08/Jun/2009:13:06:50][http-9443-Processor14]: getConn: mNumConns now 14 [08/Jun/2009:13:06:50][http-9443-Processor14]: authorization search base: cn=Certificate Manager Agents,ou=groups,dc=sigma.dsdev.sjc.redhat.com-pki-ca [08/Jun/2009:13:06:50][http-9443-Processor14]: authorization search filter: (uniquemember=uid=ckannan,ou=People,dc=sigma.dsdev.sjc.redhat.com-pki-ca) [08/Jun/2009:13:06:50][http-9443-Processor14]: authorization result: true [08/Jun/2009:13:06:50][http-9443-Processor14]: returnConn: mNumConns now 15 [08/Jun/2009:13:06:50][http-9443-Processor14]: evaluated expression: group="Certificate Manager Agents" to be true [08/Jun/2009:13:06:50][http-9443-Processor14]: DirAclAuthz: authorization passed [08/Jun/2009:13:06:50][http-9443-Processor14]: SignedAuditEventFactory: create() message=[AuditEvent=AUTHZ_SUCCESS][SubjectID=ckannan][Outcome=Success][aclResource=certServer.ca.request.profile][Op=read] authorization success [08/Jun/2009:13:06:50][http-9443-Processor14]: getConn: mNumConns now 14 [08/Jun/2009:13:06:50][http-9443-Processor14]: returnConn: mNumConns now 15 [08/Jun/2009:13:06:50][http-9443-Processor14]: SignedAuditEventFactory: create() message=[AuditEvent=ROLE_ASSUME][SubjectID=ckannan][Outcome=Success][Role=Certificate Manager Agents] assume privileged role [08/Jun/2009:13:06:50][http-9443-Processor14]: ProfileReviewServlet: SubId=profile [08/Jun/2009:13:06:50][http-9443-Processor14]: ProfileReviewServlet: requestId=79980 [08/Jun/2009:13:06:50][http-9443-Processor14]: getConn: mNumConns now 14 [08/Jun/2009:13:06:50][http-9443-Processor14]: returnConn: mNumConns now 15 [08/Jun/2009:13:06:50][http-9443-Processor14]: ProfileReviewServlet: requestId=79980 profileId=caUserCert [08/Jun/2009:13:06:50][http-9443-Processor14]: ProfileReviewServlet: profileSetId=userCertSet [08/Jun/2009:13:06:50][http-9443-Processor14]: AuthInfoAccess num=5 [08/Jun/2009:13:06:50][http-9443-Processor14]: SubjectAltNameExtDefault: createExtension i=0 [08/Jun/2009:13:06:50][http-9443-Processor14]: gname is empty, not added [08/Jun/2009:13:06:50][http-9443-Processor14]: count is 0 [08/Jun/2009:13:06:50][http-9443-Processor14]: SubjectAltNameExtDefault: populate sees no extension. get out [08/Jun/2009:13:06:50][http-9443-Processor14]: SubjectAltNameExtDefault: createExtension i=0 [08/Jun/2009:13:06:50][http-9443-Processor14]: gname is empty, not added [08/Jun/2009:13:06:50][http-9443-Processor14]: count is 0 [08/Jun/2009:13:06:50][http-9443-Processor14]: SubjectAltNameExtDefault: populate sees no extension. get out [08/Jun/2009:13:06:50][http-9443-Processor14]: CMSServlet: curDate=Mon Jun 08 13:06:50 PDT 2009 id=caProfileReview time=11 ----------------- Certificate Profile Information Certificate Profile Id: caUserCert Approved By: admin Certificate Profile Name: Manual User Dual-Use Certificate Enrollment Certificate Profile Description: This certificate profile is for enrolling user certificates. ----------------
0x0000006a issued for 'agent2' by 'admin' with caUserCert 0x0000006b issued for 'aaa' by 'agent2' with caUserCert 0x0000006c issued for 'xxx' by 'system' with caDirUserCert I do not all certificates being issued by admin only. Here is a corresponding certificate list: Serial number Subject name 0x0000006a UID=agent2 Version Certificate Type Subject public key algorithm 3 X.509 PKCS #1 RSA with 2048-bit key Not valid before Not valid after 6/8/2009 15:09:37 12/5/2009 14:09:37 Issued on Issued by 6/8/2009 15:09:50 admin Serial number Subject name 0x0000006b UID=aaa Version Certificate Type Subject public key algorithm 3 X.509 PKCS #1 RSA with 512-bit key Not valid before Not valid after 6/8/2009 15:11:37 12/5/2009 14:11:37 Issued on Issued by 6/8/2009 15:11:54 agent2 Serial number Subject name 0x0000006c UID=xxx, OU=People, DC=sjc, DC=redhat, DC=com Version Certificate Type Subject public key algorithm 3 X.509 PKCS #1 RSA with 512-bit key Not valid before Not valid after 6/8/2009 15:13:41 12/5/2009 14:13:41 Issued on Issued by 6/8/2009 15:13:41 system
hvn't been able to reproduce this myself. closing bug.