Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 654434 - Admin certificate validation is not verifying the cert against the CA
Summary: Admin certificate validation is not verifying the cert against the CA
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Pulp
Classification: Retired
Component: z_other
Version: unspecified
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Jeff Ortel
QA Contact: Preethi Thomas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-17 20:58 UTC by Jay Dobies
Modified: 2011-07-15 19:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-11-17 21:05:50 UTC


Attachments (Terms of Use)

Description Jay Dobies 2010-11-17 20:58:59 UTC
I was able to sign an admin (read: user) certificate with my own CA and have pulp accept it.

Relevant snippet from the admin certificate that was given to me by pulp:

Issuer: CN=localhost

Relevant snippet from my self-signed certificate:

Issuer: C=US, ST=New Jersey, L=Mickleton, O=Red Hat, OU=Cloud Enablement, CN=redhat.com

The CA information in /etc/pki/pulp/ca.crt:

Subject: CN=localhost

Using my self-signed certificate, I'm able to make commands against the pulp server:

# Show that the admin certificate is the one I signed:
 -> openssl x509 -text -in ~/.pulp/admin-cert.crt | head -6
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=New Jersey, L=Mickleton, O=Red Hat, OU=Cloud Enablement, CN=redhat.com

# Make a command against pulp, which will use that certificate:
 -> sudo pulp-admin repo list
No repositories available to list


In my /etc/http/conf.d/pulp.conf:

# Example ssl cert and key files to get you started.
# This MUST match /etc/pulp/pulp.conf [security] 'cacert'.
SSLCACertificateFile /etc/pki/pulp/ca.crt

Comment 1 Jay Dobies 2010-11-17 21:05:50 UTC
Closing as not a bug. I didn't realize we renamed the client's certificate to user-cert.pem and was doing my test against admin-cert.pem.


Note You need to log in before you can comment on or make changes to this bug.