Learn more about these different git repos.
Other Git URLs
Hi,
I just noticed a bug when trying to renew a certificate with my existing key where getcert resubmit overwrites the existing key.
getcert resubmit
In my Ansible playbooks I create a private key with a size of 4096. I proceed to create my via getcert request ... without specifying a keysize which results in a valid certificate after a short period of time, the key didn't change and everything is fine. After that I use getcert resubmit -i request-id which results in a new certificate but also changes my private key which is now only 2048 bits long (as it seems).
getcert request ...
getcert resubmit -i request-id
I looked into the code and noticed that resubmit and rekey are done via the same function, it seems that the code doesn't make a difference here for the two commands.
resubmit
rekey
Workarounds:
-g size
As I'm not sufficient with C I can't really provide a pull request but if you need more infos I will of course provide them.
Thanks, Vincent
Metadata Update from @rcritten: - Issue assigned to rcritten
I haven't been able to reproduce this manually. Here is what I did using IPA as the CA (ipa-getcert is equivalent to getcert -c IPA).
ipa service-add test/hostname ipa-getcert request -g 4096 -f /etc/pki/tls/certs/test.pem -k /etc/pki/tls/private/test.key -K test/hostname
hostname
openssl x509 -text -in /etc/pki/tls/certs/test.pem | egrep "Public-Key|Serial" Serial Number: 12 (0xc) RSA Public-Key: (4096 bit)
getcert resubmit -f /etc/pki/tls/certs/test.pem openssl x509 -text -in /etc/pki/tls/certs/test.pem | egrep "Public-Key|Serial" Serial Number: 13 (0xd) RSA Public-Key: (4096 bit)
This shows that a new cert is being issued (new serial number) and the key remains at least the same size.
I verified between runs that the Modulus didn't change so the private key remained the same.
I spotted some differences that probably make you not see the same issue. I created my key with another tool - in this case ansible. Ansible creates a 4096 bit key for me. Afterwards I request the key without -g which makes getcert probably use the default key size of 2048 bit. Specifying -g is one of the workarounds I described :).
-g
You should be able to reproduce this by creating a 4096bit key first and skipping the -g parameter. But I can't guarantee that 4096 is not a default for your getcert version as I didn't check the code. If you still can't confirm my issue I can post the commands step by step, but I'm currently not able to as I'm traveling, thanks!
Ok I've duplicated it.
I generated the key using:
openssl genrsa -out /etc/pki/tls/private/test.key 4096
And got the modulus with:
openssl rsa -in /etc/pki/tls/private/test.key -modulus
Then followed the initial cert steps as before and had a 4k key with matching modulus.
Resubmitting it got me a 2k key so yeah, it must have re-keyed for some reason.
https://pagure.io/certmonger/pull-request/131
023cfd2
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.