#63 Certmonger is unable to use encrypted private key to submit a CSR
Opened 7 years ago by stlaz. Modified 3 years ago

When trying to generate certificates, Certmonger is able to generate a client certificate and an encrypted private key in a separate file but is unable to use it.

Steps to reproduce
1. Create a password to encrypt a private key with and store it in a file
2. Generate a certificate with an encrypted private key in separate files (the key is encrypted with a password from 1.)
3. Try to use the generated certificate and key files along with the password file to request a new certificate from Dogtag

Expected result[[BR]]
Successfully receive a new certificate

Actual result:

Error 58 connecting to https://vm-076.abc.idm.lab.eng.brq.redhat.com:8443/ca/ee/ca/profileSubmitSSLClient: Problem with the local SSL certificate.

Metadata Update from @stlaz:
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

I can't reproduce this:

# ipa-getcert request -f /etc/pki/tls/certs/test.pem -k /etc/pki/tls/private/test.key -K test/hostname -D hostname -w -v --pin 1234
# head -1 /etc/pki/tls/private/test.key
-----BEGIN ENCRYPTED PRIVATE KEY-----
# getcert list -f /etc/pki/tls/certs/test.pem | grep expire
expires: 2023-02-17 19:29:55 UTC

Now I resubmit:

# ipa-getcert resubmit -f /etc/pki/tls/certs/test.pem -K test/hostname -D hostname -w -v
# head -1 /etc/pki/tls/private/test.key
-----BEGIN ENCRYPTED PRIVATE KEY-----
# getcert list -f /etc/pki/tls/certs/test.pem | grep expire
expires: 2023-02-17 19:31:38 UTC

It re-issued the cert just fine and I didn't need to provide the pin as certmonger knows it.

Metadata Update from @rcritten:
- Issue close_status updated to: None

3 years ago

Login to comment on this ticket.

Metadata