The current default certificate nicknames are rather cryptic and contain redundant words. Since the nicknames are used to manage certificates and do client authentication via CLI, it's better to use more human-readable nicknames.
Currently the nicknames are defined as follows:
pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_id)s pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_id)s %(pki_subsystem)s pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s %(pki_subsystem)s pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s CA pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s CA pki_storage_nickname=storageCert cert-%(pki_instance_id)s KRA pki_transport_nickname=transportCert cert-%(pki_instance_id)s KRA pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s KRA pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s KRA pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s OCSP pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s OCSP pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s OCSP pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s TKS pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s TKS
As an example, currently a CA signing certificate nickname will look like the following:
caSigningCert cert-pki-tomcat CA
A better nickname would be:
CA Signing Certificate for pki-tomcat CA
For comparison, the certificate subject DN uses more user-friendly name:
n=CA Signing Certificate,o=EXAMPLE.COM
Note that some applications (e.g. certmonger) might depend on the current nicknames. They need to be modified to be more flexible.
PKI TRAC Ticket #1645 - onsider better default values for certificate nicknames was marked as a duplicate of this ticket:
[DEFAULT] pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s ... [CA] pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA [KRA] pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA [OCSP] pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP [TKS] pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS [TPS] pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TPS
FreeIPA is currently dependent on the certificate nickname format that we use. We should not change this until FreeIPA has made changes so we don't break them if we change our defaults. This could be as easy as having IPA explicitly set the old nickname format in the deployment file it uses instead of using our defaults. A ticket should be filed for this in the FreeIPA trac instance.
Changes are currently under test.
The following shows the results of placing a CA, KRA, OCSP, TKS, and TPS inside a shared PKI instance:
NEW NICKNAMES of a CA, KRA, OCSP, TKS, TPS SHARED INSTANCE: # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate for pki-tomcat CA CTu,Cu,Cu Server Certificate for pki-tomcat u,u,u Audit Signing Certificate for pki-tomcat CA u,u,Pu Storage Certificate for pki-tomcat KRA u,u,u OCSP Signing Certificate for pki-tomcat OCSP CTu,Cu,Cu Audit Signing Certificate for pki-tomcat TKS u,u,Pu OCSP Signing Certificate for pki-tomcat CA u,u,u Subsystem Certificate for pki-tomcat u,u,u Transport Certificate for pki-tomcat KRA u,u,u Audit Signing Certificate for pki-tomcat KRA u,u,Pu Audit Signing Certificate for pki-tomcat OCSP u,u,Pu Audit Signing Certificate for pki-tomcat TPS u,u,Pu
Alternatively, the following shows the results of placing a CA, KRA, OCSP, TKS, and TPS inside a separated PKI instances:
NEW NICKNAMES of a CA SEPARATED INSTANCE: # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate for pki-ca CA CTu,Cu,Cu Server Certificate for pki-ca u,u,u Audit Signing Certificate for pki-ca CA u,u,Pu OCSP Signing Certificate for pki-ca CA u,u,u Subsystem Certificate for pki-ca u,u,u NEW NICKNAMES of a KRA SEPARATED INSTANCE: # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate - example.com Security Domain CT,c, Storage Certificate for pki-kra KRA u,u,u Subsystem Certificate for pki-kra u,u,u Transport Certificate for pki-kra KRA u,u,u Server Certificate for pki-kra u,u,u Audit Signing Certificate for pki-kra KRA u,u,Pu NEW NICKNAMES of an OCSP SEPARATED INSTANCE: # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate - example.com Security Domain CT,c, Server Certificate for pki-ocsp u,u,u Audit Signing Certificate for pki-ocsp OCSP u,u,Pu OCSP Signing Certificate for pki-ocsp OCSP CTu,Cu,Cu Subsystem Certificate for pki-ocsp u,u,u NOTE: Was not automatically connected to separated CA! Filed PKI TRAC Ticket #2348 - Separated OCSP instance does not automatically bind to its remote CA NEW NICKNAMES of a TKS SEPARATED INSTANCE: # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate - example.com Security Domain CT,c, Server Certificate for pki-tks u,u,u Audit Signing Certificate for pki-tks TKS u,u,Pu Subsystem Certificate for pki-tks u,u,u NEW NICKNAMES of a TPS SEPARATED INSTANCE: # certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CA Signing Certificate - example.com Security Domain CT,c, Server Certificate for pki-tps u,u,u Audit Signing Certificate for pki-tps TPS u,u,Pu Subsystem Certificate for pki-tps u,u,u NOTE: The shared secret from the separated TKS was not automatically imported into the separated TPS security databases! Filed PKI TRAC Ticket #2349 - Separated TPS does not automatically import shared secret from remote TKS
For reference, the following pkispawn override configuration files were utilized to produce the separated PKI instances:
PKISPAWN CONFIGURATION OVERRIDE file for a CA: [DEFAULT] pki_admin_password=Secret123 pki_client_pkcs12_password=Secret123 pki_ds_password=Secret123 # Optionally keep client databases pki_client_database_purge=False # Separated CA instance name and ports pki_instance_name=pki-ca pki_http_port=18080 pki_https_port=18443 # Separated CA instance will be its own security domain pki_security_domain_https_port=18443 [Tomcat] # Separated CA Tomcat ports pki_ajp_port=18009 pki_tomcat_server_port=18005 PKISPAWN CONFIGURATION OVERRIDE file for a KRA: [DEFAULT] pki_admin_password=Secret123 pki_client_database_password=Secret123 pki_client_pkcs12_password=Secret123 pki_ds_password=Secret123 pki_security_domain_password=Secret123 # Optionally keep client databases pki_client_database_purge=False # Separated KRA instance name and ports pki_instance_name=pki-kra pki_http_port=28080 pki_https_port=28443 # Separated KRA instance security domain references pki_issuing_ca=https://pki.example.com:18443 pki_security_domain_hostname=pki.example.com pki_security_domain_https_port=18443 pki_security_domain_user=caadmin [Tomcat] # Separated KRA Tomcat ports pki_ajp_port=28009 pki_tomcat_server_port=28005 [KRA] # Separated KRA instance requires its own PKI Administrator Certificate pki_import_admin_cert=False PKISPAWN CONFIGURATION OVERRIDE file for an OCSP: [DEFAULT] pki_admin_password=Secret123 pki_client_database_password=Secret123 pki_client_pkcs12_password=Secret123 pki_ds_password=Secret123 pki_security_domain_password=Secret123 # Optionally keep client databases pki_client_database_purge=False # Separated OCSP instance name and ports pki_instance_name=pki-ocsp pki_http_port=29080 pki_https_port=29443 # Separated OCSP instance security domain references pki_issuing_ca=https://pki.example.com:18443 pki_security_domain_hostname=pki.example.com pki_security_domain_https_port=18443 pki_security_domain_user=caadmin [Tomcat] # Separated OCSP Tomcat ports pki_ajp_port=29009 pki_tomcat_server_port=29005 [OCSP] # Separated OCSP instance requires its own PKI Administrator Certificate pki_import_admin_cert=False PKISPAWN CONFIGURATION OVERRIDE file for a TKS: [DEFAULT] pki_admin_password=Secret123 pki_client_database_password=Secret123 pki_client_pkcs12_password=Secret123 pki_ds_password=Secret123 pki_security_domain_password=Secret123 # Optionally keep client databases pki_client_database_purge=False # Separated TKS instance name and ports pki_instance_name=pki-tks pki_http_port=30080 pki_https_port=30443 # Separated TKS instance security domain references pki_issuing_ca=https://pki.example.com:18443 pki_security_domain_hostname=pki.example.com pki_security_domain_https_port=18443 pki_security_domain_user=caadmin [Tomcat] # Separated TKS Tomcat ports pki_ajp_port=30009 pki_tomcat_server_port=30005 [TKS] # Separated TKS instance requires its own PKI Administrator Certificate pki_import_admin_cert=False PKISPAWN CONFIGURATION OVERRIDE file for a TPS: [DEFAULT] pki_admin_password=Secret123 pki_client_database_password=Secret123 pki_client_pkcs12_password=Secret123 pki_ds_password=Secret123 pki_security_domain_password=Secret123 # Optionally keep client databases pki_client_database_purge=False # Separated TPS instance name and ports pki_instance_name=pki-tps pki_http_port=31080 pki_https_port=31443 # Separated TPS instance security domain references pki_issuing_ca=https://pki.example.com:18443 pki_security_domain_hostname=pki.example.com pki_security_domain_https_port=18443 pki_security_domain_user=caadmin [Tomcat] # Separated TPS Tomcat ports pki_ajp_port=31009 pki_tomcat_server_port=31005 [TPS] # Separated TPS instance requires specifying a remote CA pki_ca_uri=https://pki.example.com:18443 # Separated TPS instance optionally utilizes a remote KRA for server-side keygen pki_kra_uri=https://pki.example.com:28443 pki_enable_server_side_keygen=True pki_authdb_basedn=dc=example,dc=com # Separated TPS instance requires specifying a remote TKS pki_tks_uri=https://pki.example.com:30443 pki_import_shared_secret=True # Separated TPS instance requires its own PKI Administrator Certificate pki_import_admin_cert=False
As a reference, this change should not affect IPA because IPA does in fact override the defaults in its pkispawn config file.
To wit, in cainstance.py:
# Certificate nicknames config.set("CA", "pki_subsystem_nickname", "subsystemCert cert-pki-ca") config.set("CA", "pki_ocsp_signing_nickname", "ocspSigningCert cert-pki-ca") config.set("CA", "pki_ssl_server_nickname", "Server-Cert cert-pki-ca") config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca") config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")
And in krainsatnce.py:
# Certificate nicknames # Note that both the server certs and subsystem certs reuse # the ca certs. config.set("KRA", "pki_subsystem_nickname", "subsystemCert cert-pki-ca") config.set("KRA", "pki_ssl_server_nickname", "Server-Cert cert-pki-ca") config.set("KRA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-kra") config.set("KRA", "pki_transport_nickname", "transportCert cert-pki-kra") config.set("KRA", "pki_storage_nickname", "storageCert cert-pki-kra")
Similarly (for nicknames):
and:
Initial proposed patch containing revised nicknames 20160602-Fix-default-value-of-pki_cert_chain_nickname.patch
Although the attached patch worked successfully for shared and separated Dogtag instances, and a very simple IPA server test, concerns arose during discussion regarding untested issues such as:
As a consequence, it was determined to err on the side of caution, and defer this bug until 10.4.
Metadata Update from @edewata: - Issue assigned to mharmsen - Issue set to the milestone: UNTRIAGED
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1003
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.