Bug 818714 - [ipa webui] Instructions to generate cert should include specifying size of private key
Summary: [ipa webui] Instructions to generate cert should include specifying size of p...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-05-03 18:56 UTC by Namita Soman
Modified: 2013-02-21 09:12 UTC (History)
2 users (show)

Fixed In Version: ipa-3.0.0-1.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-21 09:12:45 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0528 0 normal SHIPPED_LIVE Low: ipa security, bug fix and enhancement update 2013-02-21 08:22:21 UTC

Description Namita Soman 2012-05-03 18:56:31 UTC 
Description of problem:
In the UI for Hosts and services, it provides instructions to generate a cert. 
Following the steps throws an error:
Certificate operation cannot be completed: unknown(3) (Request Rejected - Key Parameters 1024,2048,3072,4096 Not Matched)


The size of the private key, by default is 512. If a size of 1024 is specified, can generate a valid cert.
so steps taken were:
# openssl genrsa -out key.pem 1024
Generating RSA private key, 1024 bit long modulus
.........++++++
.............++++++
e is 65537 (0x10001)
[root@qe-blade-01 nk]# openssl req -new -key key.pem  -subj '/O=TESTRELM.COM/CN=qq.testrelm.com' -out cert.csr



Also - instead of using openssl, can the steps indicate using certutil, so that we use the nss db?

Version-Release number of selected component (if applicable):
ipa-server-2.2.0-12.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Add a Host or Service
2. Edit it
3. Click on 'New Certificate' for Host or Service
4. Follow instructions provided to get a cert
5. Click Issue
  
Actual results:
error thrown:
Certificate operation cannot be completed: unknown(3) (Request Rejected - Key Parameters 1024,2048,3072,4096 Not Matched)

Expected results:
new cert should be issued

Additional info:
Comment 2 Martin Kosek 2012-05-04 07:48:18 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2725
Comment 3 Rob Crittenden 2012-05-08 16:55:50 UTC 
This is just a text change that is easily verified. In addition we'd like to replace the openssl CSR generation instructions with NSS instructions.
Comment 5 Martin Kosek 2012-05-15 08:39:02 UTC 
Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/4640f957ade4615972a9b857a8f2e1b97e524d01

Steps used to generate a CSR are now based on NSS.
Comment 8 Namita Soman 2012-11-27 05:27:52 UTC 
Verified instructions using ipa-server-3.0.0-8.el6.x86_64
Instruction indicate stpes using certutil.


# certutil -R -d /home/ -a -g 512 -s 'CN=one.testrelm.com,O=TESTRELM.COM'

and used the cert generated from this command to add a new cert for a host. Got error:
Certificate operation cannot be completed: unknown(3) (Request Rejected - Key Parameters 1024,2048,3072,4096 Not Matched)

Was successful when cert was generated using command:
# certutil -R -d /home/ -a -g 1024 -s 'CN=one.testrelm.com,O=TESTRELM.COM'
cert was added succesfully for host
Comment 9 Namita Soman 2012-11-27 05:37:49 UTC 
marking verified - good instructions
Comment 11 errata-xmlrpc 2013-02-21 09:12:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html
Note You need to log in before you can comment on or make changes to this bug.