Issue #1504: Unable to create Admin cert with ECC during subsystem installation using pkispawn - dogtagpki

dogtagpki

#1504 Unable to create Admin cert with ECC during subsystem installation using pkispawn

Closed: Fixed None Opened 8 years ago by mrniranjan.

There are 2 Problems:

Unable to specify curve with pki_admin_keysize in configuration file , as
pkispawn fails with below error:

<snip>
pkispawn : DEBUG ........... No connection - exception thrown: [Errno
111] Connection refused
pkispawn : DEBUG ........... <?xml version="1.0" encoding="UTF-8" standal
one="no"?><XMLResponse><State>0</State><Type>CA</Type><Status>running</Status><
Version>10.2.5-3.el7pki</Version></XMLResponse>
pkispawn : INFO ....... constructing PKI configuration data.
pkispawn : DEBUG ....... Error Type: ValueError
pkispawn : DEBUG ....... Error Message: invalid literal for int() with
base 10: 'nistp256'
pkispawn : DEBUG ....... File "/usr/sbin/pkispawn", line 597, in main
rv = instance.spawn(deployer)
File "/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/confi
guration.py", line 112, in spawn
data = deployer.config_client.construct_pki_configuration_data()
File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
line 4026, in construct_pki_configuration_data
self.set_admin_parameters(data)
File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py",
line 4421, in set_admin_parameters
noise_file, int(self.mdict['pki_admin_keysize']))
</snip>

If i do not specify pki_admin_keysize , then by default Administrator's cert is
created with RSA. even though i specify pki_admin_keytype=ecc

When subsystem (CA) is installed with ECC , which by default creates
Administrator cert(using RSA), this administrator cert cannot be used for
user/cert operations using pki command. And since console is not working with
ECC , there is no option to create an alternate admin with ECC certificate as i
can't add any users, groups or add new certificate to users.

$ pki -d /opt/cmcreq/test -c 'redhat' -n "PKI Administrator for example.org"
cert
ProcessingException: Unable to invoke request

$ pki -d /opt/cmcreq/test -c 'redhat' -n "PKI Administrator for example.org"
user
ProcessingException: Unable to invoke request

Steps to Reproduce:

1. Install CA with ECC
2. Use default admin certificate to create new users using pki command

Actual results:

unable to create new users,groups

Expected results:

Should be able to create new users, groups,
Should be able to create Admin cert using ECC during installation.

Additional info:

ca Instance creation inf file used in my setup is:

[DEFAULT]
pki_instance_name=Foobar1-CA
pki_https_port=8443
pki_http_port=8080

#NSS DB Token Password
pki_token_password=Secret123

#Admin Password
pki_admin_dualkey=True
pki_admin_keytype=ecc
pki_admin_password=Secret123

#Security Domain
pki_hostname=pki3.example.org
pki_security_domain_name=Foobar.org
pki_security_domain_password=Secret123

#client Dir
pki_client_dir=/opt/Foobar1-CA
pki_client_pkcs12_password=Secret123

#Backup
pki_backup_keys=True
pki_backup_password=Secret123

[Tomcat]
pki_ajp_port=8009
pki_tomcat_server_port=8005

[CA]
pki_import_admin_cert=False
pki_ca_signing_key_type=ecc
pki_ca_signing_key_size=nistp256
pki_ca_signing_key_algorithm=SHA256withEC
pki_ca_signing_signing_algorithm=SHA256withEC
pki_ocsp_signing_key_type=ecc
pki_ocsp_signing_key_size=nistp256
pki_ocsp_signing_key_algorithm=SHA256withEC
pki_ocsp_signing_signing_algorithm=SHA256withEC
pki_audit_signing_key_type=ecc
pki_audit_signing_key_size=nistp256
pki_audit_signing_key_algorithm=SHA256withEC
pki_audit_signing_signing_algorithm=SHA256withEC
pki_ssl_server_key_type=ecc
pki_ssl_server_key_size=nistp256
pki_ssl_server_key_algorithm=SHA256withEC
pki_ssl_server_signing_algorithm=SHA256withEC
pki_ssl_server_nickname=Server-Cert cert-pki-RootCA
pki_subsystem_key_type=ecc
pki_subsystem_key_size=nistp256
pki_subsystem_key_algorithm=SHA256withEC
pki_subsystem_signing_algorithm=SHA256withEC
pki_ds_hostname=localhost
pki_ds_ldap_port=389
pki_ds_password=Secret123

cfu commented 8 years ago

if you were to add the the pki_admin_key_size, would it have worked then? If so, the real issue is more on the cli then? Please clarify this in this ticket as well as the subject line.

mharmsen commented 8 years ago

Per CS/DS Meeting of 07/27/2015: 10.2.7

mharmsen commented 8 years ago

Checked into master:

becc7fdd56407941d47bfc6281b5c90bfdae5fa9 (remove noise file generation code)
f9102b8df60d50e00d2a45915d06837510cfd1aa (PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for creating ecc admin certificate)

mharmsen commented 8 years ago

Modified in 10.2.6-4.

Metadata Update from @mrniranjan:
- Issue set to the milestone: 10.2.6

7 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2063

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

10.2.6

lowhangingfruit

None

reporter

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1244382

type

defect

version

None

keywords

None

estimate

None

feature

None

origin

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

proposedmilestone

None

dogtagpki

Source Code

#1504 Unable to create Admin cert with ECC during subsystem installation using pkispawn Closed: Fixed None Opened 8 years ago by mrniranjan.

Metadata

#1504 Unable to create Admin cert with ECC during subsystem installation using pkispawn

Closed: Fixed None Opened 8 years ago by mrniranjan.