#124 getcert resubmit overwrites an existing key
Closed: fixed 5 months ago by rcritten. Opened 6 months ago by linkvt.

Hi,

I just noticed a bug when trying to renew a certificate with my existing key where getcert resubmit overwrites the existing key.

In my Ansible playbooks I create a private key with a size of 4096.
I proceed to create my via getcert request ... without specifying a keysize which results in a valid certificate after a short period of time, the key didn't change and everything is fine.
After that I use getcert resubmit -i request-id which results in a new certificate but also changes my private key which is now only 2048 bits long (as it seems).

I looked into the code and noticed that resubmit and rekey are done via the same function, it seems that the code doesn't make a difference here for the two commands.

Workarounds:

  • specify the key size when requesting the certificate initally (-g size) - resubmit doesn't generate a new key then
  • specify the key size with the undocumented parameter -g size (as with the initial request) - the existing key of 4096 bits won't be touched, too.

As I'm not sufficient with C I can't really provide a pull request but if you need more infos I will of course provide them.

Thanks,
Vincent


Metadata Update from @rcritten:
- Issue assigned to rcritten

6 months ago

I haven't been able to reproduce this manually. Here is what I did using IPA as the CA (ipa-getcert is equivalent to getcert -c IPA).

Get the initial cert

ipa service-add test/hostname
ipa-getcert request -g 4096 -f /etc/pki/tls/certs/test.pem -k /etc/pki/tls/private/test.key -K test/hostname

Confirm that the key is 4096

openssl x509 -text -in /etc/pki/tls/certs/test.pem | egrep "Public-Key|Serial"
Serial Number: 12 (0xc)
RSA Public-Key: (4096 bit)

Resubmit and re-verify:

getcert resubmit -f /etc/pki/tls/certs/test.pem
openssl x509 -text -in /etc/pki/tls/certs/test.pem | egrep "Public-Key|Serial"
Serial Number: 13 (0xd)
RSA Public-Key: (4096 bit)

This shows that a new cert is being issued (new serial number) and the key remains at least the same size.

I verified between runs that the Modulus didn't change so the private key remained the same.

I spotted some differences that probably make you not see the same issue.
I created my key with another tool - in this case ansible. Ansible creates a 4096 bit key for me.
Afterwards I request the key without -g which makes getcert probably use the default key size of 2048 bit. Specifying -g is one of the workarounds I described :).

You should be able to reproduce this by creating a 4096bit key first and skipping the -g parameter. But I can't guarantee that 4096 is not a default for your getcert version as I didn't check the code.
If you still can't confirm my issue I can post the commands step by step, but I'm currently not able to as I'm traveling, thanks!

Ok I've duplicated it.

I generated the key using:

openssl genrsa -out /etc/pki/tls/private/test.key 4096

And got the modulus with:

openssl rsa -in /etc/pki/tls/private/test.key -modulus

Then followed the initial cert steps as before and had a 4k key with matching modulus.

Resubmitting it got me a 2k key so yeah, it must have re-keyed for some reason.

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 months ago

Login to comment on this ticket.

Metadata