RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 767700 - [RFE] add option to have certmonger add IPA CA cert to NSS database
Summary: [RFE] add option to have certmonger add IPA CA cert to NSS database
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: certmonger
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: rc
: 7.1
Assignee: Nalin Dahyabhai
QA Contact: Namita Soman
URL:
Whiteboard:
: 817405 (view as bug list)
Depends On: 759545 817405 1107766
Blocks: 1098208 1113520 1134518
TreeView+ depends on / blocked
 
Reported: 2011-12-14 16:57 UTC by Dmitri Pal
Modified: 2015-03-05 10:02 UTC (History)
8 users (show)

Fixed In Version: certmonger-0.75.14-1.el7
Doc Type: Enhancement
Doc Text:
Feature: The certmonger service now supports retrieving an IPA's CA's root certificate, and can optionally be directed to store that certificate in a specified location. Reason: While certmonger can be used to obtain and store a service's certificate in a specified location, no support has previously been provided for doing the same for the issuer of that service's certificate. Result: When requesting a certificate, the service can now be instructed to store not only the issued certificate in the designated location, but the issuer's certificate as well.
Clone Of: 759545
: 1098208 1134518 (view as bug list)
Environment:
Last Closed: 2015-03-05 10:02:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0437 0 normal SHIPPED_LIVE certmonger bug fix and enhancement update 2015-03-05 14:38:29 UTC

Description Dmitri Pal 2011-12-14 16:57:09 UTC 
+++ This bug was initially created as a clone of Bug #759545 +++

Description of problem:

It would be handy if ipa-getcert could have a option to fetch and install the IPA CA certificate into an NSS database when issuing a request.

This CA cert should be available locally in /etc/ipa/ca.crt for enrolled hosts or on the IPA server in /ipa/config/ca.crt (can be retrieved over HTTP).

--- Additional comment from nalin on 2011-12-02 15:02:15 EST ---

What would be the expected behavior in cases when the certificate and private key for a request were being stored in a flat file?

Most of the time the IPA CA certificate doesn't contain a friendlyName extension, so ipa-getcert would need to be told where the database is and which nickname to set for the CA certificate in the database.  At that point, what's the advantage of having ipa-getcert or certmonger do it instead of running certutil?

--- Additional comment from rcritten on 2011-12-02 15:27:35 EST ---

This would be for NSS databases only, flat file users are on their own.

The nickname format is '$REALM IPA CA'

ipa-getcert should already know the database location, right?

I think requested advantage is saving the user a step

You may be able to get away with documenting this in the man page.

--- Additional comment from dpal on 2011-12-03 13:17:25 EST ---

If it saves the step - great. Seems like an improvement to me that will save people time.
Comment 1 RHEL Program Management 2012-07-10 08:16:35 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 2 RHEL Program Management 2012-07-10 23:08:49 UTC 
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 3 Jenny Severance 2012-07-17 14:48:30 UTC 
moving bug to target 7.0, if will be writing CA certs to another location as trusted, needs to be an authenticated action.
Comment 4 Rob Crittenden 2012-07-17 15:29:39 UTC 
Generally authentication is only needed when managing private keys in an NSS database, not adding certificates.
Comment 5 Nalin Dahyabhai 2012-07-17 15:55:46 UTC 
This RFE could use some fleshing out.

Which database would the IPA CA certificate be saved to?
Which trust flags should it be setting in the database for the certificate?
Would it be just one database, or would there be multiple locations?
Would certmonger be retrieving the root certificate from the server, or reading it from a specified location on the local filesystem?

(In reply to comment #4)
> Generally authentication is only needed when managing private keys in an NSS
> database, not adding certificates.

That certificate, because we're putting trust in it, needs to have been retrieved over an authenticated path.  I'm really uncomfortable with the idea of adding it to the set of trusted certificates in a given database when I know that this hasn't been guaranteed.
Comment 6 Rob Crittenden 2012-07-17 17:44:06 UTC 
1. It would save it to whichever database certmonger is tracking a server cert for.
2. Good question, probably should not be hardcoded. I guess a reasonable default for an IPA world is CT,,C
3. I think it would be a per-tracking basis. This might make for either extra work or extra complexity (or both).
4. This is something I think could be hardcoded for some modicum of protection, /etc/ipa/ca.crt. On all clients and servers that should represent the IPA CA.
Comment 7 Nalin Dahyabhai 2012-07-17 17:58:18 UTC 
(In reply to comment #6)
> 1. It would save it to whichever database certmonger is tracking a server
> cert for.

Ah, so your intent is to have the CA's certificate stored in the same database as the newly-obtained certificate, as a side-effect, when we go to save the newly-obtained certificate.  That wasn't clear before.

> 2. Good question, probably should not be hardcoded. I guess a reasonable
> default for an IPA world is CT,,C

I see CT,C,C used in /etc/httpd.conf in IPA 2.2.  Is this 

> 3. I think it would be a per-tracking basis. This might make for either
> extra work or extra complexity (or both).

Hmm... maybe.  I was thinking of the complexity we'd have to cope with if the list of locations was tracked on a per-CA basis, not on a side-effect-of-a-per-request basis.

> 4. This is something I think could be hardcoded for some modicum of
> protection, /etc/ipa/ca.crt. On all clients and servers that should
> represent the IPA CA.

If we look ahead to the point when the CA's own certificate is replaced, I think that we're going to want to be able to have certmonger update the copy in that location as well.  That leaves open the question of what location certmonger should look to as the definitive source for the certificate.
Comment 8 Rob Crittenden 2012-07-17 18:04:54 UTC 
The use case is this: you have an IPA client machine and you want to run an SSL service on it. You can use certmonger to automatically get a certificate for you, which once installed won't actually work because you lack the CA to go with it, so it's a two-step process. The request was to make it one-stop-shopping.

The middle tuple is S/MIME which may be overkill (heck, even object-signing is a bit of a stretch). It doesn't hurt though, CT,C,C is fine.

When we requested this it was in the scope of IPA so there was only one CA to consider. I think tracking the CA per request is probably fine, you just need a way to resolve if two requests are from the same database. You can't assume they have the same CA. But installing the same CA twice should be fine (a no-op, really).

Fetching the CA remotely is a bit of a chicken-and-egg problem. We do publish a non-secured copy of it in IPA, but the question is: is it trustworthy? We've decided it is, esp since we use it right after we request it and therefore confirm that it is the right one.

NSS has some validation routines, you could probably use one of those to confirm that the cert chain remains unbroken for the cert you already have. I suspect that openssl probably has equivalent calls.
Comment 9 Nalin Dahyabhai 2012-07-17 18:21:36 UTC 
(In reply to comment #8)
> The use case is this: you have an IPA client machine and you want to run an
> SSL service on it. You can use certmonger to automatically get a certificate
> for you, which once installed won't actually work because you lack the CA to
> go with it, so it's a two-step process. The request was to make it
> one-stop-shopping.
> 
> The middle tuple is S/MIME which may be overkill (heck, even object-signing
> is a bit of a stretch). It doesn't hurt though, CT,C,C is fine.

Does it impact the verification of signatures generated by the caJarSigningCert certificate?

> When we requested this it was in the scope of IPA so there was only one CA
> to consider. I think tracking the CA per request is probably fine, you just
> need a way to resolve if two requests are from the same database. You can't
> assume they have the same CA. But installing the same CA twice should be
> fine (a no-op, really).

If there are two certificates from different CAs in the same database, then only one of those CAs is going to be able to have the nickname "$DOMAIN IPA CA" set for its certificate.  What's supposed to happen then?

Installing the same CA certificate with the same nickname, twice, should be a no-op, I agree.

> Fetching the CA remotely is a bit of a chicken-and-egg problem. We do
> publish a non-secured copy of it in IPA, but the question is: is it
> trustworthy?  We've decided it is, esp since we use it right after we request
> it and therefore confirm that it is the right one.

If we accept that the CA's certificate will eventually be replaced, we need to find a way to provide a copy of the replacement certificate to clients via an authenticated path.

We're about to start publishing CA subsystem certificates to the IPA directory service.  If we put the CA's signing certificate in there, too, then the client would be able to fetch it at any time by performing a GSSAPI-authenticated LDAP search.
Comment 10 Rob Crittenden 2012-07-17 19:11:15 UTC 
(In reply to comment #9)
> Does it impact the verification of signatures generated by the
> caJarSigningCert certificate?

It depends on how forward thinking we want to be. Today, no, it wouldn't. IPA issues only server certs so object signing would never come into play. If we issue identity certs for users then we might end up using certmonger to monitor their Firefox/Mozilla NSS db in which case object signing might be a possibility.

> If there are two certificates from different CAs in the same database, then
> only one of those CAs is going to be able to have the nickname "$DOMAIN IPA
> CA" set for its certificate.  What's supposed to happen then?
> 
> Installing the same CA certificate with the same nickname, twice, should be
> a no-op, I agree.

Yes, choosing the nickname would be important. I would assume that whatever told certmonger to start tracking would provide the nickname and it would be unique and relevant for the situation. I think this would only be a problem if someone would have to communicate with two different IPA domains named the same thing.

> If we accept that the CA's certificate will eventually be replaced, we need
> to find a way to provide a copy of the replacement certificate to clients
> via an authenticated path.
> 
> We're about to start publishing CA subsystem certificates to the IPA
> directory service.  If we put the CA's signing certificate in there, too,
> then the client would be able to fetch it at any time by performing a
> GSSAPI-authenticated LDAP search.

We've been meaning to do that a while (read years) but haven't gotten around to it. I opened IPA ticket https://fedorahosted.org/freeipa/ticket/2930 for this.
Comment 12 Jenny Severance 2013-05-07 15:12:15 UTC 
*** Bug 817405 has been marked as a duplicate of this bug. ***
Comment 13 Nalin Dahyabhai 2014-09-05 14:07:19 UTC 
Around 0.75, ipa-getcert's various subcommands should gain a -a flag, which can be used to specify a database to which the CA's certificates should be saved.
Comment 15 Kaleem 2014-12-11 11:21:55 UTC 
Verified

certmonger version:
------------------
[root@dhcp207-1 ~]# rpm -q certmonger
certmonger-0.75.14-2.el7.x86_64
[root@dhcp207-1 ~]# 

snip from automation log:
=========================
:: [   PASS   ]   TC1_getcert_request : Valid location with -F parameter
:: [   PASS   ]   TC2_getcert_request : Invalid location with -F parameter
:: [   PASS   ]   TC3_getcert_request : empty -F parameter
:: [   PASS   ]   TC4_getcert_request : CA already exist in provided file location
:: [   PASS   ]   TC5_getcert_request : Valid nss db location
:: [   PASS   ]   TC6_getcert_request : Invalid nss db location
:: [   PASS   ]   TC7_getcert_request : Empty nss db location
:: [   PASS   ]   TC8_getcert_request : CA already exists
:: [   PASS   ]   TC9_getcert_resubmit : Valid location with -F parameter
:: [   PASS   ]   TC10_getcert_resubmit : Invalid location with -F parameter
:: [   PASS   ]   TC11_getcert_resubmit : empty -F parameter
:: [   PASS   ]   TC12_getcert_resubmit : CA already exist in provided file location
:: [   PASS   ]   TC13_getcert_resubmit : Valid location with -a parameter
:: [   PASS   ]   TC14_getcert_resubmit : Invalid location with -a parameter
:: [   PASS   ]   TC15_getcert_resubmit : empty -a parameter
:: [   PASS   ]   TC16_getcert_resubmit : CA already exist in provided nss db location
:: [   PASS   ]   TC17_getcert_start_tracking : Valid location with -F parameter
:: [   PASS   ]   TC18_getcert_start_tracking : Invalid location with -F parameter
:: [   PASS   ]   TC19_getcert_start_tracking : empty -F parameter
:: [   PASS   ]   TC20_getcert_start_tracking : CA already exist in provided file location
:: [   PASS   ]   TC21_getcert_start_tracking : Valid location with -a parameter
:: [   PASS   ]   TC22_getcert_start_tracking : Invalid location with -a parameter
:: [   PASS   ]   TC23_getcert_start_tracking : empty -a parameter
:: [   PASS   ]   TC24_getcert_start_tracking : CA already exist in provided nss db location
Comment 16 Jiri Herrmann 2014-12-12 15:32:11 UTC 
If this Feature should be included in the 7.1 Release Notes, could you please change the Doc Type from Enhancement to "Release Note"?

Note that the Release Notes are intended to list the most prominent and customer-relevant new features rather than every single enhancement.

Cheers,
Jirka
Comment 17 Nalin Dahyabhai 2014-12-15 14:18:14 UTC 
I wouldn't expect it to be called out, since we don't use it in the default IPA installation scenarios.
Comment 19 errata-xmlrpc 2015-03-05 10:02:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0437.html
Note You need to log in before you can comment on or make changes to this bug.