Issue #432: Certificate nickname improvement - dogtagpki

dogtagpki

#432 Certificate nickname improvement

Closed: migrated 3 years ago by dmoluguw. Opened 11 years ago by edewata.

The current default certificate nicknames are rather cryptic and contain redundant words. Since the nicknames are used to manage certificates and do client authentication via CLI, it's better to use more human-readable nicknames.

Currently the nicknames are defined as follows:

pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_id)s
pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_id)s %(pki_subsystem)s
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s %(pki_subsystem)s
pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s CA
pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s CA
pki_storage_nickname=storageCert cert-%(pki_instance_id)s KRA
pki_transport_nickname=transportCert cert-%(pki_instance_id)s KRA
pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s KRA
pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s KRA
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_id)s OCSP
pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s OCSP
pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s OCSP
pki_audit_signing_nickname= auditSigningCert cert-%(pki_instance_id)s TKS
pki_subsystem_nickname=subsystemCert cert-%(pki_instance_id)s TKS

As an example, currently a CA signing certificate nickname will look like the following:

caSigningCert cert-pki-tomcat CA

A better nickname would be:

CA Signing Certificate for pki-tomcat CA

For comparison, the certificate subject DN uses more user-friendly name:

n=CA Signing Certificate,o=EXAMPLE.COM

Note that some applications (e.g. certmonger) might depend on the current nicknames. They need to be modified to be more flexible.

mharmsen commented 7 years ago

PKI TRAC Ticket #1645 - onsider better default values for certificate nicknames was marked as a duplicate of this ticket:

[DEFAULT]
pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s
pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s
...
[CA]
pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA
[KRA]
pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA
pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA
[OCSP]
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP
[TKS]
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS
[TPS]
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TPS

nkinder commented 7 years ago

FreeIPA is currently dependent on the certificate nickname format that we use. We should not change this until FreeIPA has made changes so we don't break them if we change our defaults. This could be as easy as having IPA explicitly set the old nickname format in the deployment file it uses instead of using our defaults. A ticket should be filed for this in the FreeIPA trac instance.

mharmsen commented 7 years ago

Changes are currently under test.

The following shows the results of placing a CA, KRA, OCSP, TKS, and TPS inside a shared PKI instance:

NEW NICKNAMES of a CA, KRA, OCSP, TKS, TPS SHARED INSTANCE:
# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA Signing Certificate for pki-tomcat CA                     CTu,Cu,Cu
Server Certificate for pki-tomcat                            u,u,u
Audit Signing Certificate for pki-tomcat CA                  u,u,Pu
Storage Certificate for pki-tomcat KRA                       u,u,u
OCSP Signing Certificate for pki-tomcat OCSP                 CTu,Cu,Cu
Audit Signing Certificate for pki-tomcat TKS                 u,u,Pu
OCSP Signing Certificate for pki-tomcat CA                   u,u,u
Subsystem Certificate for pki-tomcat                         u,u,u
Transport Certificate for pki-tomcat KRA                     u,u,u
Audit Signing Certificate for pki-tomcat KRA                 u,u,Pu
Audit Signing Certificate for pki-tomcat OCSP                u,u,Pu
Audit Signing Certificate for pki-tomcat TPS                 u,u,Pu

Alternatively, the following shows the results of placing a CA, KRA, OCSP, TKS, and TPS inside a separated PKI instances:

NEW NICKNAMES of a CA SEPARATED INSTANCE:

# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA Signing Certificate for pki-ca CA                         CTu,Cu,Cu
Server Certificate for pki-ca                                u,u,u
Audit Signing Certificate for pki-ca CA                      u,u,Pu
OCSP Signing Certificate for pki-ca CA                       u,u,u
Subsystem Certificate for pki-ca                             u,u,u

NEW NICKNAMES of a KRA SEPARATED INSTANCE:

# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA Signing Certificate - example.com Security Domain         CT,c,
Storage Certificate for pki-kra KRA                          u,u,u
Subsystem Certificate for pki-kra                            u,u,u
Transport Certificate for pki-kra KRA                        u,u,u
Server Certificate for pki-kra                               u,u,u
Audit Signing Certificate for pki-kra KRA                    u,u,Pu

NEW NICKNAMES of an OCSP SEPARATED INSTANCE:

# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA Signing Certificate - example.com Security Domain         CT,c,
Server Certificate for pki-ocsp                              u,u,u
Audit Signing Certificate for pki-ocsp OCSP                  u,u,Pu
OCSP Signing Certificate for pki-ocsp OCSP                   CTu,Cu,Cu
Subsystem Certificate for pki-ocsp                           u,u,u

NOTE:  Was not automatically connected to separated CA!
       Filed PKI TRAC Ticket #2348 - Separated OCSP instance does not
       automatically bind to its remote CA

NEW NICKNAMES of a TKS SEPARATED INSTANCE:

# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA Signing Certificate - example.com Security Domain         CT,c,
Server Certificate for pki-tks                               u,u,u
Audit Signing Certificate for pki-tks TKS                    u,u,Pu
Subsystem Certificate for pki-tks                            u,u,u

NEW NICKNAMES of a TPS SEPARATED INSTANCE:

# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CA Signing Certificate - example.com Security Domain         CT,c,
Server Certificate for pki-tps                               u,u,u
Audit Signing Certificate for pki-tps TPS                    u,u,Pu
Subsystem Certificate for pki-tps                            u,u,u

NOTE:  The shared secret from the separated TKS was not automatically
       imported into the separated TPS security databases!
       Filed PKI TRAC Ticket #2349 - Separated TPS does not automatically
       import shared secret from remote TKS

For reference, the following pkispawn override configuration files were utilized to produce the separated PKI instances:

PKISPAWN CONFIGURATION OVERRIDE file for a CA:

    [DEFAULT]
    pki_admin_password=Secret123
    pki_client_pkcs12_password=Secret123
    pki_ds_password=Secret123
    # Optionally keep client databases
    pki_client_database_purge=False
    # Separated CA instance name and ports
    pki_instance_name=pki-ca
    pki_http_port=18080
    pki_https_port=18443
    # Separated CA instance will be its own security domain
    pki_security_domain_https_port=18443
    [Tomcat]
    # Separated CA Tomcat ports
    pki_ajp_port=18009
    pki_tomcat_server_port=18005

PKISPAWN CONFIGURATION OVERRIDE file for a KRA:

    [DEFAULT]
    pki_admin_password=Secret123
    pki_client_database_password=Secret123
    pki_client_pkcs12_password=Secret123
    pki_ds_password=Secret123
    pki_security_domain_password=Secret123
    # Optionally keep client databases
    pki_client_database_purge=False
    # Separated KRA instance name and ports
    pki_instance_name=pki-kra
    pki_http_port=28080
    pki_https_port=28443
    # Separated KRA instance security domain references
    pki_issuing_ca=https://pki.example.com:18443
    pki_security_domain_hostname=pki.example.com
    pki_security_domain_https_port=18443
    pki_security_domain_user=caadmin
    [Tomcat]
    # Separated KRA Tomcat ports
    pki_ajp_port=28009
    pki_tomcat_server_port=28005
    [KRA]
    # Separated KRA instance requires its own PKI Administrator Certificate
    pki_import_admin_cert=False


PKISPAWN CONFIGURATION OVERRIDE file for an OCSP:

    [DEFAULT]
    pki_admin_password=Secret123
    pki_client_database_password=Secret123
    pki_client_pkcs12_password=Secret123
    pki_ds_password=Secret123
    pki_security_domain_password=Secret123
    # Optionally keep client databases
    pki_client_database_purge=False
    # Separated OCSP instance name and ports
    pki_instance_name=pki-ocsp
    pki_http_port=29080
    pki_https_port=29443
    # Separated OCSP instance security domain references
    pki_issuing_ca=https://pki.example.com:18443
    pki_security_domain_hostname=pki.example.com
    pki_security_domain_https_port=18443
    pki_security_domain_user=caadmin
    [Tomcat]
    # Separated OCSP Tomcat ports
    pki_ajp_port=29009
    pki_tomcat_server_port=29005
    [OCSP]
    # Separated OCSP instance requires its own PKI Administrator Certificate
    pki_import_admin_cert=False


PKISPAWN CONFIGURATION OVERRIDE file for a TKS:

    [DEFAULT]
    pki_admin_password=Secret123
    pki_client_database_password=Secret123
    pki_client_pkcs12_password=Secret123
    pki_ds_password=Secret123
    pki_security_domain_password=Secret123
    # Optionally keep client databases
    pki_client_database_purge=False
    # Separated TKS instance name and ports
    pki_instance_name=pki-tks
    pki_http_port=30080
    pki_https_port=30443
    # Separated TKS instance security domain references
    pki_issuing_ca=https://pki.example.com:18443
    pki_security_domain_hostname=pki.example.com
    pki_security_domain_https_port=18443
    pki_security_domain_user=caadmin
    [Tomcat]
    # Separated TKS Tomcat ports
    pki_ajp_port=30009
    pki_tomcat_server_port=30005
    [TKS]
    # Separated TKS instance requires its own PKI Administrator Certificate
    pki_import_admin_cert=False


PKISPAWN CONFIGURATION OVERRIDE file for a TPS:

    [DEFAULT]
    pki_admin_password=Secret123
    pki_client_database_password=Secret123
    pki_client_pkcs12_password=Secret123
    pki_ds_password=Secret123
    pki_security_domain_password=Secret123
    # Optionally keep client databases
    pki_client_database_purge=False
    # Separated TPS instance name and ports
    pki_instance_name=pki-tps
    pki_http_port=31080
    pki_https_port=31443
    # Separated TPS instance security domain references
    pki_issuing_ca=https://pki.example.com:18443
    pki_security_domain_hostname=pki.example.com
    pki_security_domain_https_port=18443
    pki_security_domain_user=caadmin
    [Tomcat]
    # Separated TPS Tomcat ports
    pki_ajp_port=31009
    pki_tomcat_server_port=31005
    [TPS]
    # Separated TPS instance requires specifying a remote CA
    pki_ca_uri=https://pki.example.com:18443
    # Separated TPS instance optionally utilizes a remote KRA for server-side keygen
    pki_kra_uri=https://pki.example.com:28443
    pki_enable_server_side_keygen=True
    pki_authdb_basedn=dc=example,dc=com
    # Separated TPS instance requires specifying a remote TKS
    pki_tks_uri=https://pki.example.com:30443
    pki_import_shared_secret=True
    # Separated TPS instance requires its own PKI Administrator Certificate
    pki_import_admin_cert=False

vakwetu commented 7 years ago

As a reference, this change should not affect IPA because IPA does in fact override the defaults in its pkispawn config file.

To wit, in cainstance.py:

# Certificate nicknames
config.set("CA", "pki_subsystem_nickname", "subsystemCert cert-pki-ca")
config.set("CA", "pki_ocsp_signing_nickname", "ocspSigningCert cert-pki-ca")
config.set("CA", "pki_ssl_server_nickname", "Server-Cert cert-pki-ca")
config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca")
config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")

And in krainsatnce.py:

   # Certificate nicknames
    # Note that both the server certs and subsystem certs reuse
    # the ca certs.
    config.set("KRA", "pki_subsystem_nickname",
               "subsystemCert cert-pki-ca")
    config.set("KRA", "pki_ssl_server_nickname",
               "Server-Cert cert-pki-ca")
    config.set("KRA", "pki_audit_signing_nickname",
               "auditSigningCert cert-pki-kra")
    config.set("KRA", "pki_transport_nickname",
               "transportCert cert-pki-kra")
    config.set("KRA", "pki_storage_nickname",
               "storageCert cert-pki-kra")

vakwetu commented 7 years ago

Similarly (for nicknames):

   # Certificate nicknames
    # Note that both the server certs and subsystem certs reuse
    # the ca certs.
    config.set("KRA", "pki_subsystem_nickname",
               "subsystemCert cert-pki-ca")
    config.set("KRA", "pki_ssl_server_nickname",
               "Server-Cert cert-pki-ca")
    config.set("KRA", "pki_audit_signing_nickname",
               "auditSigningCert cert-pki-kra")
    config.set("KRA", "pki_transport_nickname",
               "transportCert cert-pki-kra")
    config.set("KRA", "pki_storage_nickname",
               "storageCert cert-pki-kra")

and:

    # Certificate nicknames
    config.set("CA", "pki_subsystem_nickname", "subsystemCert cert-pki-ca")
    config.set("CA", "pki_ocsp_signing_nickname", "ocspSigningCert cert-pki-ca")
    config.set("CA", "pki_ssl_server_nickname", "Server-Cert cert-pki-ca")
    config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca")
    config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")

mharmsen commented 7 years ago

Initial proposed patch containing revised nicknames
20160602-Fix-default-value-of-pki_cert_chain_nickname.patch

mharmsen commented 7 years ago

Although the attached patch worked successfully for shared and separated Dogtag instances, and a very simple IPA server test, concerns arose during discussion regarding untested issues such as:

upgrade
migration
interaction between previously installed instances
etc.

As a consequence, it was determined to err on the side of caution, and defer this bug until 10.4.

Metadata Update from @edewata:
- Issue assigned to mharmsen
- Issue set to the milestone: UNTRIAGED

7 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1003

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata

Assignee

mharmsen

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

UNTRIAGED

lowhangingfruit

None

reporter

None

rhbz

type

defect

version

None

keywords

None

estimate

None

feature

Installer Cleanup/ Improvement

origin

Community

proposedpriority

minor

fixedinversion

None

platforms

None

blockedby

None

blocking

https://fedorahosted.org/pki/ticket/2347, https://fedorahosted.org/pki/ticket/2350

reviewer

None

component

Installation/Configuration

proposedmilestone

Future

dogtagpki

Source Code

#432 Certificate nickname improvement Closed: migrated 3 years ago by dmoluguw. Opened 11 years ago by edewata.

Metadata

#432 Certificate nickname improvement

Closed: migrated 3 years ago by dmoluguw. Opened 11 years ago by edewata.