Issue #2374: KRA cloning overwrites CA signing certificate trust flags - dogtagpki

dogtagpki

#2374 KRA cloning overwrites CA signing certificate trust flags

Closed: Fixed None Opened 7 years ago by edewata.

For KRA cloning the admin needs to provide a PKCS #12 file containing the existing KRA's certificates. Depending on how the PKCS #12 file is created, the file might include the CA signing certificate, and it might also include the certificate trust flags. During KRA clone installation the PKCS #12 file will be imported into the clone's NSS database.

The problem is if the clone already has a CA subsystem the trust flags in the NSS database will be overwritten by the trust flags in the PKCS #12 file. If the trust flags in the PKCS #12 file was not exported properly from the original KRA, it can cause problems in the clone (e.g. unable to connect to DS).

To fix the problem the tool to import the PKCS #12 file should not overwrite existing certificate and trust flags unless specifically requested.

edewata commented 7 years ago

This would fix the following ticket:

https://fedorahosted.org/freeipa/ticket/5982

and possibly this ticket as well:

https://fedorahosted.org/pki/ticket/2226

edewata commented 7 years ago

Steps to reproduce:

Install CA and KRA on master:

$ ipa-server-install -U -r EXAMPLE.COM -p Secret123 -a Secret123
$ ipa-kra-install -p Secret123

Install CA and KRA on replica:

$ ipa-client-install -U --server server.example.com --domain example.com \
  --realm EXAMPLE.COM -p admin -w Secret123
$ echo Secret123 | kinit admin
$ ipa-replica-install -U --setup-ca -p Secret123 -w Secret123
$ ipa-kra-install -p Secret123

Actual result: The KRA installation on replica failed.

Expected result: The KRA installation on replica should succeed.

mharmsen commented 7 years ago

Per discussions with edewata on IRC: 10.3.4

mharmsen commented 7 years ago

Per PKI Bug Council of 06/23/2016: 10.3.4

no downstream bug is necessary, as this will be tested out by FreeIPA

edewata commented 7 years ago

Fixed in master:

8598a68ac954d1020f4e0063e257a20512961567

Metadata Update from @edewata:
- Issue assigned to edewata
- Issue set to the milestone: 10.3.4

7 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2494

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata

Assignee

edewata

Tags

None

Blocking

None

Depending on

None

Priority

blocker

Milestone

10.3.4

lowhangingfruit

None

reporter

None

rhbz

type

defect

version

None

keywords

None

estimate

None

feature

None

origin

Community

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

Cloning

proposedmilestone

None

dogtagpki

Source Code

#2374 KRA cloning overwrites CA signing certificate trust flags Closed: Fixed None Opened 7 years ago by edewata.

Metadata

#2374 KRA cloning overwrites CA signing certificate trust flags

Closed: Fixed None Opened 7 years ago by edewata.