pkispawn generates CSR without extensions. without the proper extensions in the CSR, the CA cert issued might be invalid since it will not have the proper extensions too.
Steps to Reproduce:
1.Check the csr generated by step1 of external CA generation. 2.you will find no extensions specified like the way they exist in other RootCA certs.
Actual results:
extensions not supported right now due to which CA installation failed.
Expected results:
RootCA installation should work.
Additional info:
CSR generated by pkispawn: Certificate Request: Data: Version: 0 (0x0) Subject: commonName = CA Signing Certificate organizationName = EXTERNAL Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b2:ca:81:d6:b1:81:49:57:8e:11:a6:10:75:17: 2e:24:51:c6:30:e1:fa:d1:16:65:fd:e6:43:8a:e1: eb:54:bf:a3:d2:4c:be:a8:7e:4f:25:83:c4:41:76: 26:f9:f6:90:89:35:43:4f:ae:f9:fc:fd:cd:a7:f3: eb:6f:09:a8:64:e2:c5:59:2b:ff:65:3f:4e:93:a5: 77:af:8b:d2:65:92:f4:29:6e:05:25:a3:d6:a8:e1: 09:4a:45:96:82:2a:7c:b8:d7:d0:25:c3:2f:ed:fc: 76:56:a9:ac:42:96:a2:ac:3f:04:4d:9e:37:48:6a: 10:8b:9f:70:3a:6b:7f:c8:ba:2e:e1:36:d7:d1:12: c0:cc:00:5a:3d:38:b4:a0:99:13:ec:9a:6f:47:24: b2:66:d3:d0:89:e9:59:4e:18:5d:5e:1e:f5:04:ac: dd:ee:c2:91:22:61:3b:d4:58:10:ac:82:27:93:47: 80:67:e5:f2:19:20:9f:e3:c9:dd:0f:e0:54:b3:5b: 51:7b:cc:e3:1d:7a:20:2b:79:58:b1:0e:a3:ff:18: 11:ba:9b:e2:a9:c8:03:03:7f:f3:6d:d6:b5:7c:bb: 61:f9:7a:6d:ff:e5:88:af:92:18:74:e0:74:58:18: f6:6b:be:22:82:6a:8d:5a:21:ec:87:a8:16:29:ab: fa:5f Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 16:87:7f:01:f9:91:16:ee:67:4e:e6:19:2f:0f:ea:95:03:60: 59:b5:26:91:5a:15:15:39:e7:a9:ec:eb:1b:b0:aa:cb:ce:ea: d2:28:5b:b9:6b:09:5a:cf:fe:60:e7:f9:76:a2:39:5e:85:ee: 97:e8:a1:02:0e:27:e6:ac:97:2e:84:3b:98:c7:62:07:95:87: 53:a0:20:ea:8f:86:c9:28:ef:05:24:95:df:84:6f:73:c5:f6: 0c:9e:c6:5f:e8:bb:76:a7:4a:d8:b6:11:2d:64:23:99:e0:f8: 94:87:69:59:29:68:b7:f2:16:66:63:f3:43:57:0c:b7:4f:12: f5:a7:2f:cf:cf:5c:3d:79:21:d9:75:83:01:2a:a0:c6:6a:5e: 0b:4a:36:7e:ec:f0:8b:14:42:0f:3d:cd:7c:41:36:82:93:11: 38:a9:20:7d:e8:96:92:16:a3:f8:1b:e4:fb:31:12:fb:9f:06: 7a:8c:88:d4:84:3d:7b:40:a3:bb:b7:87:12:6e:13:05:09:6b: 77:32:8d:5c:cc:05:a3:d5:40:88:d5:28:5c:1f:16:45:22:05: e4:b5:84:72:43:3a:dc:1b:2a:65:9d:12:3f:65:be:ee:19:43: 73:ff:35:8a:e2:7f:0b:83:dd:32:e8:a6:cf:60:b4:6c:f6:d4: 00:d1:b2:35 CSR genertaed by 3rd party: X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Certificate Policies: Policy: 1.2.840.113583.1.2.1 CPS: https://www.adobe.com/misc/pki/cds_cp.html X509v3 Extended Key Usage: 1.2.840.113583.1.1.5 X509v3 CRL Distribution Points: Full Name: URI:http://crl.adobe.com/cds.crl Full Name: DirName: C = US, O = Adobe Systems Incorporated, OU = Adobe Trust Services, CN = Adobe Root CA, CN = CRL1 X509v3 Key Usage: Certificate Sign, CRL Sign X509v3 Authority Key Identifier: keyid:82:B7:38:4A:93:AA:9B:10:EF:80:BB:D9:54:E2:F1:0F:FB:80:9C:DE X509v3 Subject Key Identifier: AB:80:59:C3:65:83:6D:1D:7D:13:BD:19:C3:EC:1A:8F:0D:47:6A:A3 1.2.840.113533.7.65.0: 0 ..V6.0....
Per Bug Triage of 05/03/2016: 10.3.1
Reassigning this bug to edewata, as cfu explained that this may be related to breakage of PKI TRAC #1110 - pkispawn (configuration) does not provide CA extensions in subordinate certificate signing requests (CSR)
Added basic constraints and key usage extensions:
The support for generic extensions will be added separately.
Added support for generic extension:
Metadata Update from @gkapoor: - Issue assigned to edewata - Issue set to the milestone: 10.3.2
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2432
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.