Bug 818714 - [ipa webui] Instructions to generate cert should include specifying size of private key
[ipa webui] Instructions to generate cert should include specifying size of p...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
6.2
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Rob Crittenden
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-03 14:56 EDT by Namita Soman
Modified: 2013-02-21 04:12 EST (History)
2 users (show)

See Also:
Fixed In Version: ipa-3.0.0-1.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 04:12:45 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Namita Soman 2012-05-03 14:56:31 EDT
Description of problem:
In the UI for Hosts and services, it provides instructions to generate a cert. 
Following the steps throws an error:
Certificate operation cannot be completed: unknown(3) (Request Rejected - Key Parameters 1024,2048,3072,4096 Not Matched)


The size of the private key, by default is 512. If a size of 1024 is specified, can generate a valid cert.
so steps taken were:
# openssl genrsa -out key.pem 1024
Generating RSA private key, 1024 bit long modulus
.........++++++
.............++++++
e is 65537 (0x10001)
[root@qe-blade-01 nk]# openssl req -new -key key.pem  -subj '/O=TESTRELM.COM/CN=qq.testrelm.com' -out cert.csr



Also - instead of using openssl, can the steps indicate using certutil, so that we use the nss db?

Version-Release number of selected component (if applicable):
ipa-server-2.2.0-12.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Add a Host or Service
2. Edit it
3. Click on 'New Certificate' for Host or Service
4. Follow instructions provided to get a cert
5. Click Issue
  
Actual results:
error thrown:
Certificate operation cannot be completed: unknown(3) (Request Rejected - Key Parameters 1024,2048,3072,4096 Not Matched)

Expected results:
new cert should be issued

Additional info:
Comment 2 Martin Kosek 2012-05-04 03:48:18 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2725
Comment 3 Rob Crittenden 2012-05-08 12:55:50 EDT
This is just a text change that is easily verified. In addition we'd like to replace the openssl CSR generation instructions with NSS instructions.
Comment 5 Martin Kosek 2012-05-15 04:39:02 EDT
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/4640f957ade4615972a9b857a8f2e1b97e524d01

Steps used to generate a CSR are now based on NSS.
Comment 8 Namita Soman 2012-11-27 00:27:52 EST
Verified instructions using ipa-server-3.0.0-8.el6.x86_64
Instruction indicate stpes using certutil.


# certutil -R -d /home/ -a -g 512 -s 'CN=one.testrelm.com,O=TESTRELM.COM'

and used the cert generated from this command to add a new cert for a host. Got error:
Certificate operation cannot be completed: unknown(3) (Request Rejected - Key Parameters 1024,2048,3072,4096 Not Matched)

Was successful when cert was generated using command:
# certutil -R -d /home/ -a -g 1024 -s 'CN=one.testrelm.com,O=TESTRELM.COM'
cert was added succesfully for host
Comment 9 Namita Soman 2012-11-27 00:37:49 EST
marking verified - good instructions
Comment 11 errata-xmlrpc 2013-02-21 04:12:45 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

Note You need to log in before you can comment on or make changes to this bug.