dogtagpki

Clone
Source Code
GIT

#2449 Unable to create system certificates in different tokens
Closed: fixed 6 years ago Opened 7 years ago by edewata.

Closed: fixed
Reopen Issue

The pkispawn and CS.cfg provide several parameters to specify the token name for each system certificate:

  • pki_ca_signing_token / ca.signing.tokenname
  • pki_ocsp_signing_token / ca.ocsp_signing.tokenname / ocsp.signing.tokenname
  • pki_storage_token / kra.storage.tokenname
  • pki_transport_token / kra.transport.tokenname
  • pki_audit_signing_token / <subsystem>.audit_signing.tokenname
  • pki_ssl_server_token / <subsystem>.sslserver.tokenname
  • pki_subsystem_token / <subsystem>.subsystem.tokenname

However, the current code disregards the token names specified in the above parameters and it will only use the token name specified in pki_token_name, which limits its use and may cause some confusions.

One option is to fix the code to read the token names from the right parameters, allowing the system certificate to be created in different tokens. For example, the CA certificate might be created in HSM, while the other certificates are created in internal token.

Another option is to remove the above parameters, so all system certificates will always be created in the same token.

Per PKI Bug Council of 08/31/2016: 10.3.6

To ssh://vakwetu@git.fedorahosted.org/git/pki.git
1195ee9..bc65e12 master -> master

Checked into master:

  • bc65e12500cbc3381b4e755a4a50214f43049ad3

Cherry-picked into DOGTAG_10_3_BRANCH:

From 261e550a25ced3c61fc0c3afeb910d17b7472a3c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" edewata@redhat.com
Date: Mon, 29 Aug 2016 08:33:05 +0200
Subject: [PATCH 03/10] Added support to create system certificates in
different tokens.

Previously all system certificates were always created in the same
token specified in the pki_token_name parameter.

To allow creating system certificates in different tokens, the
configuration.py has been modified to store the system certificate
token names specified in pki_<cert>_token parameters into the
CS.cfg before the server is started.

After the server is started, the configuration servlet will read
the token names from the CS.cfg and create the certificates in the
appropriate token.

https://fedorahosted.org/pki/ticket/2449
(cherry picked from commit bc65e12500cbc3381b4e755a4a50214f43049ad3)

Reverted from master (10.4) due to issue reported in bug #1374054:

  • b0a4981937abb1a3decad7decc0a788473464039

Reverted from DOGTAG_10_3_BRANCH due to issue reported in Bugzilla Bug #1374054 - ipa-replica-install fails setting up certificate server:

commit 744c506e41f33c7532c0ce8ab08f12bc75d79506

Author: Endi S. Dewata <edewata@redhat.com>
Date:   Thu Sep 8 20:06:19 2016 +0200

    Removed support for creating system certificates in different tokens.

    The patch that added the support for creating system certificates
    in different tokens causes issues in certain cases, so for now it
    has been reverted.

    https://fedorahosted.org/pki/ticket/2449
    (cherry picked from commit b0a4981937abb1a3decad7decc0a788473464039)

Per CS/DS meeting of 09/12/2016: 10.4 (critical)

  • patch for this ticket was removed after pki-core-10.3.5-5.fc24
  • could make setup easier/nicer when HSM is in FIPS - also may make IdM HSM have more flexibility

Metadata Update from @edewata:
- Issue assigned to edewata
- Issue set to the milestone: 10.4
7 years ago

Metadata Update from @mharmsen:
- Custom field feature adjusted to ''
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field version adjusted to ''
- Issue close_status updated to: None
- Issue priority set to: 1 (was: 2)
7 years ago

Upgraded priority to coincide with associated Bugzilla Bug.

Per PKI Bug Council of 03/23/2017:

  • downgrade priority to major
  • close associated RHBZ as UPSTREAM

Metadata Update from @mharmsen:
- Issue priority set to: 3 (was: 1)
7 years ago

Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.

Metadata Update from @mharmsen:
- Issue set to the milestone: FUTURE (was: 10.4)
6 years ago

Metadata Update from @edewata:
- Issue priority set to: blocker (was: major)
- Issue set to the milestone: 10.6 (was: FUTURE)
6 years ago

This blocks PKI 10.6 installation with HSM. The SSL server cert and key need to be created in the internal token, while other certs are keys need to be created in HSM.
Edited 6 years ago by edewata

Metadata Update from @edewata:
- Issue close_status updated to: fixed
- Issue set to the milestone: 10.6.0 (was: 10.6)
- Issue status updated to: Closed (was: Open)
6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2569

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
blocker
None
None
defect
''
None
None
None
''
Community
''
http://koji.fedoraproject.org/koji/buildinfo?buildID=798415
None
None
None
''
Installation/Configuration
''
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.