from "Manage Certificates", "Request" - the wizard generates keys of only 1024 bits length. The minimum needed for (all?) CA's that are non-self-signed now is 2048.
This requires using the command line to generate the CSR for a signed cert outside the organization.
The request wizard should have an option to change bit size, or at least default to the minimum required for security (now 2048).
389-ds-console-1.2.6-1.el6.noarch 389-adminutil-1.1.15-1.el6.x86_64 389-console-1.1.7-1.el6.noarch 389-dsgw-1.1.9-1.el6.x86_64 389-admin-1.1.29-1.el6.x86_64 389-admin-console-doc-1.1.8-1.el6.noarch 389-ds-base-1.2.10.7-1.el6.x86_64 389-ds-console-doc-1.2.6-1.el6.noarch 389-ds-base-libs-1.2.10.7-1.el6.x86_64 389-ds-1.2.2-1.el6.noarch 389-admin-console-1.1.8-1.el6.noarch
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=844764 (''Red Hat Directory Server'')
set default ticket origin to Community
Added initial screened field value.
Tried to get a new CSR today, found this is still a problem. (Thus checked here.)
There's no point in having the functionality in the Wizard at this point, IMO, and if we can't have a usable key size, that should be in the wizard "This is usable only for self-signed, use command line for signed keys", for instance.
[root@ds4 dirsrv]# yum list |grep 389 389-admin.x86_64 1.1.29-1.el6 @epel 389-admin-console.noarch 1.1.8-1.el6 @epel 389-admin-console-doc.noarch 1.1.8-1.el6 @epel 389-adminutil.x86_64 1.1.15-1.el6 @epel 389-console.noarch 1.1.7-1.el6 @epel 389-ds.noarch 1.2.2-1.el6 @epel 389-ds-base.x86_64 1.2.11.15-14.el6_4 @rhel-x86_64-server-6 389-ds-base-libs.x86_64 1.2.11.15-14.el6_4 @rhel-x86_64-server-6 389-ds-console.noarch 1.2.6-1.el6 @epel 389-ds-console-doc.noarch 1.2.6-1.el6 @epel 389-dsgw.x86_64 1.1.10-1.el6 @epel 389-admin.i686 1.1.29-1.el6 epel 389-adminutil.i686 1.1.15-1.el6 epel 389-adminutil-devel.i686 1.1.15-1.el6 epel 389-adminutil-devel.x86_64 1.1.15-1.el6 epel 389-ds-base-devel.i686 1.2.11.15-14.el6_4 rhel-x86_64-server-optional-6 389-ds-base-devel.x86_64 1.2.11.15-14.el6_4 rhel-x86_64-server-optional-6 389-ds-base-libs.i686 1.2.11.15-14.el6_4 rhel-x86_64-server-6 [root@ds4 dirsrv]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.4 (Santiago)
In addition to changing the default key size (and making it configurable), we should change the default for the signature algorithm to sha1WithRSAEncryption.
Admin Server diffs 0001-Ticket-362-Directory-Console-generates-insufficient-.patch
The Admin Server patch improves the default RSA key size and signing algorithm. No Console changes are needed to take advantage of these new default. The new defaults are:
The patch also gives the CGI the capability to support a configurable RSA key size up to 4096 as well as SHA-256, SHA-384, and SHA-512 signing algorithms. To take advantage of this capability, changes need to be made to idm-console-framework to allow the user to make selections.
Here is a certificate request generated by invoking the security CGI (with patch) from an unmodified Console. As can be seen, the key size is 2048 and the signing algorithm is SHA-1:
[nathank@neptune ~]$ openssl req -in /tmp/csr2.txt -text Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=California, CN=test.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a9:fc:88:b9:8f:92:f8:7f:16:78:5b:77:60:bb: 73:da:d9:4c:bd:86:d8:a8:7d:e2:6a:b3:9c:2f:11: 8a:ea:21:85:4e:71:ef:1d:27:10:34:da:66:97:25: 13:6c:5f:ad:e3:bd:31:1b:c0:5b:ed:80:de:4c:f6: 72:ae:58:21:e9:0d:90:97:b8:1e:07:5a:94:f7:7a: 2e:95:af:d7:c6:3e:fb:c7:c6:80:01:b6:aa:b9:09: 0e:05:b5:a9:f8:3e:db:09:45:d9:19:3b:3d:4a:9a: 4e:1c:4a:f0:a3:49:67:3e:82:a3:f3:1e:d1:4f:0d: da:9f:5d:9e:f3:57:8d:ae:6b:c0:20:2d:67:8a:d3: 91:4b:b3:fa:31:80:3c:27:9a:1a:b2:36:32:07:31: 87:2c:87:2b:c0:d5:06:62:c4:66:a7:96:31:0c:8c: 16:60:27:5f:21:75:85:6d:02:f5:c4:ba:40:2b:70: 59:5d:4c:f8:39:c5:b8:ef:b8:11:07:c2:fd:6a:09: 84:87:7d:c5:f8:e5:ed:c1:77:22:c1:f6:13:60:3b: 70:10:59:90:f6:74:17:0f:15:55:10:1b:e8:88:0d: af:85:5f:5f:6d:62:13:ff:87:d4:1d:d4:4f:d5:11: 04:b6:ed:eb:66:e8:46:dd:9e:0b:ba:b3:6c:69:ac: 57:81 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha1WithRSAEncryption 90:45:58:8b:f4:6c:42:b1:51:e9:52:b1:59:96:f4:24:a2:30: 22:26:03:6b:61:d8:c7:9c:1c:d0:ac:90:9a:fc:3b:44:d5:ac: 52:77:73:79:3d:ae:50:9c:65:02:b3:6d:c2:ca:22:1b:33:f2: 67:6b:20:f9:65:4a:c0:1c:28:a3:39:19:c6:d8:b0:4d:a3:93: de:e2:56:d9:09:0a:0e:64:8a:9b:12:64:76:09:41:26:7f:88: ee:bc:e1:04:e4:a8:93:be:c8:27:06:74:3f:1d:2c:f3:30:a4: fd:45:60:12:7d:2f:47:73:e3:12:de:d4:22:f8:e2:29:2a:13: b7:8d:2e:b6:c2:d4:ce:42:4f:f7:f7:05:f7:6d:19:60:8f:8b: db:39:37:bf:9c:3a:56:90:91:bf:33:5a:7f:14:4d:56:45:b9: df:e2:d1:e8:b2:db:6a:6b:5e:ab:51:2a:be:fb:0f:b7:f4:85: 65:94:25:0d:00:ea:b6:ed:ad:48:19:f7:6a:bf:c0:79:80:6e: 1d:e5:18:08:65:78:37:a8:7a:a5:0b:95:6a:9d:93:25:35:60: 4f:b3:39:21:48:c9:ce:ea:c7:01:8c:84:17:2c:22:ff:35:93: ef:9b:bc:0b:94:04:6e:23:1a:de:38:2d:fb:c2:ec:80:5d:cc: f2:6b:1d:b8
idm-console-framework diffs 0001-Ticket-362-Directory-Console-generates-insufficient-.2.patch
389-admin-console diffs 0001-Ticket-362-Directory-Console-generates-insufficient-.3.patch
The idm-console-framework patch implements a new UI panel in the certificate request wizard that is used by the DS and Admin Server console. A screenshot of this new panel will be attached to this ticket.
The 389-admin-console patch is only needed to add the online help page that is accessed when you click on the "help" button on the new panel in the Console.
Screenshot <img alt="console-keypanel.png" src="/389-ds-base/issue/raw/files/74f39e3b7a4e9b22325d6022c87c9d8cd19e23c1902127232ae85de3610de84f-console-keypanel.png" />
Thanks to Noriko for her review. Patches pushed to master:
Counting objects: 9, done. Delta compression using up to 8 threads. Compressing objects: 100% (5/5), done. Writing objects: 100% (5/5), 1.16 KiB, done. Total 5 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin.git 5c52dd5..4555aff master -> master
Counting objects: 24, done. Delta compression using up to 8 threads. Compressing objects: 100% (10/10), done. Writing objects: 100% (13/13), 3.47 KiB, done. Total 13 (delta 7), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/idm-console-framework.git d37a577..e043c5b master -> master
Counting objects: 12, done. Delta compression using up to 8 threads. Compressing objects: 100% (6/6), done. Writing objects: 100% (7/7), 1.08 KiB, done. Total 7 (delta 3), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin-console.git 48237b2..91568bd master -> master
Metadata Update from @nkinder: - Issue assigned to nkinder - Issue set to the milestone: 389-admin,console 1.1.35
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/362
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.