I set up my TPS CS.cfg file to provide a revocation reason of superseded (CRLReasonExtension=4) and that works fine when I terminate an active token.
When I suspend an active token, the certificates are revoked with the revocation reason as "certificate is on hold" (which is CRLReasonExtension=6). When I then mark the token as terminated, the CRLReasonExtension value does not get changed to 4 so when I look at the certificate in the CA Agent Page the revocation reason is still "certificate is on hold". I thought it was a problem because the certificate status is already "REVOKED" and maybe the CA won't change the reason, but when I mark a suspended token as Lost, the revocation reason changes to "Key compromised."
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1262000 (Red Hat Certificate System)
Per CS/DS meeting of 11/02/2015: 10.3
commit 03d578a6254620e4d4122b92b922f8711773ad40 Author: Christina Fu cfu@redhat.com Date: Mon May 23 16:22:54 2016 -0700
Ticket 1665 - Cert Revocation Reasons not being updated when on-hold This patch fixes the following areas: - In the CA, when revokeCert is called, make it possible to move from on_hold to revoke. - In the servlet that handles TPS revoke (DoRevokeTPS), make sure it allows the on_hold cert to be put in the bucket to be revoked. - there are a few minor fixes such as typos and one have to do with the populate method in SubjectDNInput.java needs better handling of subject in case it's null. Note: This patch does not make attempt to allow agents to revoke certs that are on_hold from agent interface. The search filter needs to be modified to allow that.
How to test: Select a TPS profile that you wish to test with, and modify "...onHold.revokeCert" to true check if "...onHold.revokeCert.reason" is 6 also "...destroyed.revokeCert" to true check if "...destroyed.revokeCert.reason" is 0
do the above for every key type in the same profile that you wish to be put onhold/offhold/destroyed. You might want to leave one cert untouched (not revoked if made temporarily lost) just to compare how it differs with others for the later activities.
Do an enrollment of the profile, and check that the token is active, and the certs are too. at TPS admin interface, select the token, "Change Status" and change from Active to Temporarily lost. Click on "show certificate", you should see that the certs that match the key type that you changed to revokeCert true should now have "revoked_on_hold" status.
Now go back to token, and change status to permanently lost, and check the certificate status, they should now be revoked (this was previously not possible). Also check on the CA and make sure the certs are revoked.
Metadata Update from @ddas: - Issue assigned to cfu - Issue set to the milestone: 10.3.2
reopen for realignment work.
Metadata Update from @cfu: - Custom field feature adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field version adjusted to None - Issue status updated to: Open (was: Closed)
commit 36213c8b614775feadfebef54db034e1155d33c7 (HEAD -> master, origin/master, origin/HEAD, revokeReason) Author: Christina Fu cfu@redhat.com Date: Thu Jul 20 17:50:38 2017 -0700
Ticket #1665 (code realignment) Certificate Revocation Reasons not being updated in some cases This patch makes sure that when a token is temporarily lost (certs on_hold), its certs are properly revoked when moving to other revocation reasons when marked damaged or permanently lost. In addition, on the CA side, this patch to some degree mimics the original request for transitions from SUPERSEDED to KEY_COMPROMISED, although in the current TPS that is prohibited. Also, the original requested code skipped over informing CRLIssuingPoints, while in this patch, that is not skipped as the revocation reason has changed it should be updated; Time stamp in the cert record is also updated, which is different from the original requested code. Development tests were conducted on currently allowed TPS token state transitions only. Change-Id: I675ce13892a7c48eba42870a87954398d7dc8168
Metadata Update from @cfu: - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.0 (was: 10.3.2)
Metadata Update from @mharmsen: - Issue close_status updated to: fixed
Metadata Update from @mharmsen: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1274098, https://bugzilla.redhat.com/show_bug.cgi?id=1262000,https://bugzilla.redhat.com/show_bug.cgi?id=1471996,https://bugzilla.redhat.com/show_bug.cgi?id=1500474 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1274098, https://bugzilla.redhat.com/show_bug.cgi?id=1262000)
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.5.0-1.fc27
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2224
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.