Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1883639
Summary: | Add KRA Transport and Storage Certificates profiles, audit for IPA | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Dinesh Prasanth <dmoluguw> |
Component: | pki-core | Assignee: | RHCS Maintainers <rhcs-maint> |
Status: | CLOSED ERRATA | QA Contact: | PKI QE <bugzilla-pkiqe> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.9 | CC: | aakkiang, abokovoy, alee, bugzilla-pkiqe, cfu, cpinjani, edewata, extras-qa, fdc, frenaud, ipa-maint, jhrozek, mharmsen, mhjacks, mkosek, pvoborni, rcritten, rhcs-maint, skhandel, ssorce, twoerner, wdh |
Target Milestone: | rc | Keywords: | TestCaseProvided, Triaged |
Target Release: | 7.9 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | pki-core-10.5.18-11.el7_9 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | 1875563 | Environment: | |
Last Closed: | 2021-03-16 13:48:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1869605, 1875563 | ||
Bug Blocks: | 1872603, 1872604 |
Description
Dinesh Prasanth
2020-09-29 18:37:00 UTC
commit 73efcea0c74eb4882c003a7fe6cef21fa7627363 (HEAD -> DOGTAG_10_5_BRANCH, origin/DOGTAG_10_5_BRANCH) Author: Christina Fu <cfu> Date: Tue Oct 13 16:19:06 2020 -0700 Bug1883639-add profile caAuditSigningCert Existing profiiles caStorageCert.cfg and caTransportCert.cfg should be used for KRA. a caAuditSigningCert profile is added, although I find a misleading profile named caSignedLogCert.cfg that was intended for the use. I disabled caSignedLogCert.cfg instead. I also removed the SHA1 algorithms from all the *storage* and *audit* profiles while I'm at it. The upgrade scripts only adds the new profile caAuditSigningCert. It does not modify existing profiles or remove those two IPA specific ones. fixes https://bugzilla.redhat.com/show_bug.cgi?id=1883639 Test procedure for RHCS QE: There are two things to test. One being that the upgrade scripts work - this could be achieved by upgrading the rpms, and restart a previously installed instance, then observe that the new caAuditSigningCert.cfg profiles show up under /var/lib/pki/<instance>/ca/profiles/ca/ The other being that the profile actually work; Here is the minimum test I did on the RHCS side (feel free to improve upon or automate it): I generated a PKCS#10 request. e.g. PKCS10Client -d . -p netscape -n "CN=Audit Signing Certificate,OU=testUpgrade,O=ladycfu-caRSA072820" -l 2048 -o sys_auditSigning_pkcs10_upgrade.req On browser, I went to EE portal select the Manual Audit Signing cert profile and pasted the request into each profile and submit. The request should be created successfully. As a CA agent, approve the request, andthe cert should be issued successfully. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: pki-core security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0851 |