When displaying a certificate in the Dogtag CA gui, one of the certificates is displayed in 'Base 64 encoded certificate with CA certificate chain in pkcs7 format' https://<ca>:8443/ca/ee/ca/displayBySerial?op=displayBySerial&serialNumber=<sn>
When trying to use this pkcs7 data, I copied it to a text file and pointed an application to it (FreeIPA). The FreeIPA installed complained that it could not load this pkcs7 file.
I then tried to inspect it with openssl:
openssl pkcs7 -in ipa.p7 -print_certs
OpenSSL complained: unable to load PKCS7 object 140513062148000:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: PKCS7
I then constructed a new pkcs7 file with openssl:
openssl crl2pkcs7 -nocrl -certfile root.crt -certfile int.crt -certfile ca.crt -out ipa.p7
This cert works in both OpenSSL and IPA.
Then I changed the Dogtag PKCS7 cert header and footer from:
-----BEGIN CERTIFICATE CHAIN----- -----END CERTIFICATE CHAIN-----
to:
-----BEGIN PKCS7----- -----END PKCS7-----
Once I did this, the PKCS7 file appears to load correctly in OpenSSL. Maybe it is a simple matter of changing the header and footer text on the Dogtag pkcs7 display?
Apparently trac doesn't do well with the header/footer statements and considers them formatting.
Dogtag header/footer: "-----BEGIN CERTIFICATE CHAIN-----" "-----END CERTIFICATE CHAIN-----"
needs to be changed to what OpenSSL/IdM use: "-----BEGIN PKCS7-----" "-----END PKCS7-----"
It appears that the "* CERTIFICATE CHAIN" header/footer format is non-standard, as mentioned in appendix A of https://tools.ietf.org/html/rfc7468. Section 8 of this RFC also states the following:
The label "CERTIFICATE CHAIN" has been in use to denote a degenerate PKCS #7 structure that contains only a list of certificates (see Section 9 of [RFC2315]). Several modern tools do not support this label. Generators MUST NOT generate the "CERTIFICATE CHAIN" label. Parsers SHOULD NOT treat "CERTIFICATE CHAIN" as equivalent to "PKCS7".
It seems to me that we should not be using the "CERTIFICATE CHAIN" labels, and should instead be outputting with the standard "PKCS7" labels.
I can confirm using openssl it expects the PKCS7 header and using keytool for managing java keystore BEGIN CERTIFICATE CHAIN is required instead.
Both options probably need to be supported, and both available for scripted collection.
Per CS/DS Meeting of 11/23/2015: 10.3 - major
attachment pki-ftweedal-0070-Use-correct-textual-encoding-for-PKCS-7-objects.patch
Per conversations with ftweedal, trivial fix.
Pushed to master (f6177fede9d1b688f0519953ec14839d513a6e2c)
Checked into 'DOGTAG_10_2_5_RHEL_BRANCH':
Checked into 'DOGTAG_10_2_RHEL_BRANCH':
Metadata Update from @bja: - Issue assigned to ftweedal - Issue set to the milestone: 10.3.0.a2
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2258
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.