Currently the CLI will warn the user the following certificate validation errors:
The CLI does not reject them outright because under certain circumstances the errors are acceptable to the user, for example on a temporary certificate and in the use of short hostname.
Ideally the CLI should show the warning/error messages and prompt the user whether to continue with the operation, just like Firefox.
CAVEAT: There is a well-founded dissenting opinion that some of these certificate validation errors should always be disallowed since CS is a security product (i. e. - not a browser). This implies that this issue should be thoroughly discussed prior to any final decision/code changes.
If it is decided that the appropriate implementation would be to fail on "BAD_CERT_DOMAIN", at the very least, we should not only put out an "ERROR" message (rather than a "WARNING"), but also provide descriptive text to the end user on why it failed and how this failure can be corrected (i. e. - utilize the FQDN of the hostname rather than just the short form of the hostname).
pkispawn relies on the client library to configure the newly created instance. Since the instance at this point only has a temporary certificate, certain errors such as UNTRUSTED_ISSUER and CA_CERT_INVALID must be ignored by the client library.
It's possible to modify the client library to ignore a specific list of errors for installation only, but in general we should avoid hardcoding any variable/logic in the client library because once installed on the user's machine it's harder to control it.
A more generic solution would be to add a parameter to specify the list of errors to be ignored:
pki --ignore-errors UNTRUSTED_ISSUER,CA_CERT_INVALID <command>
This way the pkispawn can specify the list of errors to be ignored, while the parameter is still generic enough for users who need to use it.
Reference TRAC Ticket #488 - Dogtag 10: Fix cli 'cert-find' clientAuth issue changes which yield the following behaviors:
script -c "pkispawn -s CA -f /tmp/pki/cs.cfg -vvv" successfully installed and configured with no ERRORs/WARNINGs, enrolled for a certificate, and approved a certificate pki -h foobar -P https -p 8443 cert-find WARNING: BAD_CERT_DOMAIN encountered on 'CN=foobar.example.com,O=example.com Security Domain' indicates a common-name mismatch WARNING: UNTRUSTED ISSUER encountered on 'CN=foobar.example.com,O=example.com Security Domain' indicates a non-trusted CA cert ------------------------ 7 certificate(s) matched ------------------------ Serial Number: 0x1 Subject DN: CN=CA Signing Certificate,O=example.com Security Domain Status: VALID Serial Number: 0x2 Subject DN: CN=CA OCSP Signing Certificate,O=example.com Security Domain Status: VALID Serial Number: 0x3 Subject DN: CN=foobar.example.com,O=example.com Security Domain Status: VALID Serial Number: 0x4 Subject DN: CN=CA Subsystem Certificate,O=example.com Security Domain Status: VALID Serial Number: 0x5 Subject DN: CN=CA Audit Signing Certificate,O=example.com Security Domain Status: VALID Serial Number: 0x6 Subject DN: CN=PKI Administrator,E=caadmin@example.com,O=example.com Security Domain Status: VALID Serial Number: 0x7 Subject DN: UID=test Status: VALID ---------------------------- Number of entries returned 7 ---------------------------- pki -h foobar.example.com -P https -p 8443 cert-find WARNING: UNTRUSTED ISSUER encountered on 'CN=foobar.example.com,O=example.com Security Domain' indicates a non-trusted CA cert ------------------------ 7 certificate(s) matched ------------------------ Serial Number: 0x1 Subject DN: CN=CA Signing Certificate,O=example.com Security Domain Status: VALID Serial Number: 0x2 Subject DN: CN=CA OCSP Signing Certificate,O=example.com Security Domain Status: VALID Serial Number: 0x3 Subject DN: CN=foobar.example.com,O=example.com Security Domain Status: VALID Serial Number: 0x4 Subject DN: CN=CA Subsystem Certificate,O=example.com Security Domain Status: VALID Serial Number: 0x5 Subject DN: CN=CA Audit Signing Certificate,O=example.com Security Domain Status: VALID Serial Number: 0x6 Subject DN: CN=PKI Administrator,E=caadmin@example.com,O=example.com Security Domain Status: VALID Serial Number: 0x7 Subject DN: UID=test Status: VALID ---------------------------- Number of entries returned 7 ---------------------------- pki -h foobar -P https -p 8443 -n "PKI Administrator for example.com" -w XXXXXXXX -d . cert-find WARNING: BAD_CERT_DOMAIN encountered on 'CN=foobar.example.com,O=example.com Security Domain' indicates a common-name mismatch WARNING: BAD_CERT_DOMAIN encountered on 'CN=foobar.example.com,O=example.com Security Domain' indicates a common-name mismatch ------------------------ 7 certificate(s) matched ------------------------ Serial Number: 0x1 Subject DN: CN=CA Signing Certificate,O=example.com Security Domain Status: VALID Serial Number: 0x2 Subject DN: CN=CA OCSP Signing Certificate,O=example.com Security Domain Status: VALID Serial Number: 0x3 Subject DN: CN=foobar.example.com,O=example.com Security Domain Status: VALID Serial Number: 0x4 Subject DN: CN=CA Subsystem Certificate,O=example.com Security Domain Status: VALID Serial Number: 0x5 Subject DN: CN=CA Audit Signing Certificate,O=example.com Security Domain Status: VALID Serial Number: 0x6 Subject DN: CN=PKI Administrator,E=caadmin@example.com,O=example.com Security Domain Status: VALID Serial Number: 0x7 Subject DN: UID=test Status: VALID ---------------------------- Number of entries returned 7 ---------------------------- pki -h foobar.example.com -P https -p 8443 -n "PKI Administrator for example.com" -w XXXXXXXX -d . cert-find ------------------------ 7 certificate(s) matched ------------------------ Serial Number: 0x1 Subject DN: CN=CA Signing Certificate,O=example.com Security Domain Status: VALID Serial Number: 0x2 Subject DN: CN=CA OCSP Signing Certificate,O=example.com Security Domain Status: VALID Serial Number: 0x3 Subject DN: CN=foobar.example.com,O=example.com Security Domain Status: VALID Serial Number: 0x4 Subject DN: CN=CA Subsystem Certificate,O=example.com Security Domain Status: VALID Serial Number: 0x5 Subject DN: CN=CA Audit Signing Certificate,O=example.com Security Domain Status: VALID Serial Number: 0x6 Subject DN: CN=PKI Administrator,E=caadmin@example.com,O=example.com Security Domain Status: VALID Serial Number: 0x7 Subject DN: UID=test Status: VALID ---------------------------- Number of entries returned 7 ----------------------------
Per meeting in Mountain View, we will:
master:
Metadata Update from @edewata: - Issue assigned to edewata - Issue set to the milestone: 10.0.2
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1062
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.