This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 843979 - Increase audit cert renewal range to 2 years
Increase audit cert renewal range to 2 years
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: pki-core (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Matthew Harmsen
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 844459
  Show dependency treegraph
 
Reported: 2012-07-27 14:46 EDT by Rob Crittenden
Modified: 2013-07-05 09:13 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 844459 (view as bug list)
Environment:
Last Closed: 2013-07-05 09:13:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rob Crittenden 2012-07-27 14:46:32 EDT
Description of problem:

dogtag uses a different profile for issuing the audit certificate than it uses for renewing it. The issuing profile is for 2 years, the renewal for 6 months. They should both be for 2 years.

Version-Release number of selected component (if applicable):

pki-ca-9.0.20-1
Comment 1 Nathan Kinder 2012-09-17 15:04:26 EDT
Upstream ticket:
https://fedorahosted.org/pki/ticket/333
Comment 2 Matthew Harmsen 2012-09-19 21:10:42 EDT
Worked with Andrew on this to identify the correct profile to change:

    * Installed and Configured Dogtag 10 CA instance
    * Launched CA Agent page and noted that the CA Audit Signing certificate
      was serial #0x5 entitled
      "CN=CA Audit Signing Certificate,O=usersys.redhat.com Security Domain"
    * Launched CA EE page and selected the "Enrollment/Renewal" Tab
      * Selected the profile entitled
        "Renewal: Renew certificate to be manually approved by agents"
        * Placed a "5" in the "Serial Number of Certificate to Renew" section
          and pressed the Submit button
          * Your request ID is 8
    * Back on the CA Agent page, selected "List Requests", selected
      "Show renewal request" for Request type, and pressed the Find button
    * Selected request #8
      * Under "Certificate Profile Information" noted the following:
        * Certificate Profile Id: "caSignedLogCert"
      * Under "Policy Information" noted the following:
        * #2 default values are Range=180 in days
        * #2 constraint rejects the validity that is not between 365 days
Comment 3 Matthew Harmsen 2012-09-19 21:53:56 EDT
Tested out the following change:

    * Shutdown the CA instance
      * systemctl stop pki-tomcatd@pki-tomcat.service
    * Edited /var/lib/pki/pki-tomcat/ca/profiles/ca/caSignedLogCert.cfg
      * 23c23
        < policyset.caLogSigningSet.2.constraint.params.range=365
        ---
        > policyset.caLogSigningSet.2.constraint.params.range=720
        28c28
        < policyset.caLogSigningSet.2.default.params.range=180
        ---
        > policyset.caLogSigningSet.2.default.params.range=720
    * Restarted the CA instance
      * systemctl start pki-tomcatd@pki-tomcat.service
    * Launched CA EE page and selected the "Enrollment/Renewal" Tab
      * Selected the profile entitled
        "Renewal: Renew certificate to be manually approved by agents"
        * Placed a "5" in the "Serial Number of Certificate to Renew" section
          and pressed the Submit button
          * Your request ID is 9
    * Back on the CA Agent page, selected "List Requests", selected
      "Show renewal request" for Request type, and pressed the Find button
    * Selected request #9
      * Under "Certificate Profile Information" noted the following:
        * Certificate Profile Id: "caSignedLogCert"
      * Under "Policy Information" noted the following:
        * #2 default values are Range=720 in days
        * #2 constraint rejects the validity that is not between 720 days

NOTE:  The reason that a new renewal request must be submitted is because
       the original renewal request calculates some values based upon
       the original "default" values (e. g. - the "Not Before" and "Not After"
       values in "Policy Information #2") and while a simple reload of this
       renewal request reflects both changes from 180/365 --> 720/720, it
       does not recalculate the values in "Not Before" and "Not After".
Comment 5 Matthew Harmsen 2012-09-20 20:46:47 EDT
Resolved in Dogtag 9 on 'DOGTAG_9_BRANCH':

    commit d9c9d8e45f4d8c268576d35dddb965f156c5f3d7
    Author: Matthew Harmsen <mharmsen@redhat.com>
    Date:   Thu Sep 20 10:38:25 2012 -0700
    
        Audit Cert Renewal
    
        * TRAC Ticket #333 - Increase audit cert renewal range to 2 years
        * Bugzilla Bug #843979 - Increase audit cert renewal range to 2 years
    

Resolved in Dogtag 10 on 'master':

    commit f5b8ea5b087f642a0208c228dce6f700cd7d91c1
    Author: Matthew Harmsen <mharmsen@redhat.com>
    Date:   Thu Sep 20 10:23:47 2012 -0700
    
        Audit Cert Renewal
    
        * TRAC Ticket #333 - Increase audit cert renewal range to 2 years
        * Bugzilla Bug #843979 - Increase audit cert renewal range to 2 years
Comment 6 Fedora End Of Life 2013-07-04 03:02:18 EDT
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Note You need to log in before you can comment on or make changes to this bug.