After enabling Directory authentication plugin (UidPwdDirAuth) , Unable to submit cert request using caECDirUserCert profile.
Steps to Reproduce:
1. Setup CA using below configuration [DEFAULT] pki_instance_name=Foobar1 pki_https_port=8443 pki_http_port=8080 #NSS DB Token Password pki_token_password=Secret123 #Admin Password pki_admin_password=Secret123 #Security Domain pki_hostname=pki2.example.org pki_security_domain_name=Foobar.org pki_security_domain_password=Secret123 #client Dir pki_client_dir=/opt/Foobar1 pki_client_pkcs12_password=Secret123 #Backup pki_backup_keys=True pki_backup_password=Secret123 [Tomcat] pki_ajp_port=8009 pki_tomcat_server_port=8005 [CA] pki_import_admin_cert=False pki_ca_signing_key_type=ecc pki_ca_signing_key_size=nistp256 pki_ca_signing_key_algorithm=SHA256withEC pki_ca_signing_signing_algorithm=SHA256withEC pki_ocsp_signing_key_type=ecc pki_ocsp_signing_key_size=nistp256 pki_ocsp_signing_key_algorithm=SHA256withEC pki_ocsp_signing_signing_algorithm=SHA256withEC pki_audit_signing_key_type=ecc pki_audit_signing_key_size=nistp256 pki_audit_signing_key_algorithm=SHA256withEC pki_audit_signing_signing_algorithm=SHA256withEC pki_ssl_server_key_type=ecc pki_ssl_server_key_size=nistp256 pki_ssl_server_key_algorithm=SHA256withEC pki_ssl_server_signing_algorithm=SHA256withEC pki_ssl_server_nickname=Server-Cert cert-pki-RootCA pki_subsystem_key_type=ecc pki_subsystem_key_size=nistp256 pki_subsystem_key_algorithm=SHA256withEC pki_subsystem_signing_algorithm=SHA256withEC pki_ds_hostname=localhost pki_ds_ldap_port=389 pki_ds_password=Secret123 2. Enable UidPwdDirAuth plugin. auths.instance.UserDirEnrollment.dnpattern= auths.instance.UserDirEnrollment.ldap.basedn=dc=example,dc=org auths.instance.UserDirEnrollment.ldap.ldapconn.host=localhost auths.instance.UserDirEnrollment.ldap.ldapconn.port=389 auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false auths.instance.UserDirEnrollment.ldap.ldapconn.version=3 auths.instance.UserDirEnrollment.ldap.maxConns= auths.instance.UserDirEnrollment.ldap.minConns= auths.instance.UserDirEnrollment.ldapByteAttributes= auths.instance.UserDirEnrollment.ldapStringAttributes= auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth auths.instance.flatFileAuth.authAttributes=PWD 3. Add some users to dc=example,dc=org dn: uid=ecc_auth_user1,dc=example,dc=org uid: ecc_auth_user1 cn: ecc_auth_user1 sn: user1 objectClass: top objectClass: inetorgperson userPassword: redhat dn: uid=ecc_auth_user2,dc=example,dc=org uid: ecc_auth_user2 cn: ecc_auth_user2 sn: user2 objectClass: top objectClass: inetorgperson userPassword: redhat 4. From EE Profile "Directory Authenticated User Dual-use ECC Certificate Enrollment" specify user "ecc_auth_user1" password: redhat 5. submit the request.
Actual results:
Request is rejected with reason "Sorry, your request is rejected. The reason is "Request Rejected {0}"
Expected results:
Request should not be rejected
Additional info:
The request is rejected because the certificate request is being created using RSA algorithm instead of ECC.
It works for me. See https://bugzilla.redhat.com/show_bug.cgi?id=1238221#c3
Metadata Update from @mrniranjan: - Issue assigned to cfu - Issue set to the milestone: 10.2.6
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2017
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.