KRA key recovery cli kra-key-retrieve generates a invalid p12 file.
Steps to Reproduce:
CA and KRA installed using Thales HSM. Archive a key by creating CRMFPopClient request and submitting the request to CADualCert profile. Verify that the key is archived. # pki -d /opt/rhqa_pki/admin_certs_db/ -c SECret.123 -p 31044 -n "PKI Administrator for idm.lab.eng.rdu.redhat.com" kra-key-find ---------------- 1 key(s) matched ---------------- Key ID: 0x1 Algorithm: 1.2.840.113549.1.1.1 Size: 2048 Owner: UID=FooUser6,CN=Foo User6,OU=Foo_Example_IT,O=FooBar.Org,C=US ---------------------------- Number of entries returned 1 ---------------------------- Retrieve the keys using kra-key-retrieve. # pki -d /opt/rhqa_pki/admin_certs_db/ -c SECret.123 -p 31044 -n "PKI Administrator for idm.lab.eng.rdu.redhat.com" kra-key-retrieve --keyID 0x1 --output /opt/rhqa_pki/foo_user6_cert.p12 --passphrase SECret.890 # ll /opt/rhqa_pki/foo_user6_cert.p12 -rw-r--r--. 1 root root 1821 Nov 7 15:15 /opt/rhqa_pki/foo_user6_cert.p12 # pk12util -d /opt/rhqa_pki/admin_certs_db/ -i /opt/rhqa_pki/foo_user6_cert.p12 Enter Password or Pin for "NSS Certificate DB": Enter password for PKCS12 file: pk12util: PKCS12 decoding failed: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message. pk12util: PKCS12 decode not verified: SEC_ERROR_BAD_DER: security library: improperly formatted DER-encoded message.
Actual results:
p12 file import fails.
Expected results:
p12 file import should be successful.
Per PKI Bug Council of 11/10/2016: 10.4 - major
Metadata Update from @aakkiang: - Issue set to the milestone: UNTRIAGED
Metadata Update from @mharmsen: - Custom field feature adjusted to '' - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field version adjusted to '' - Issue close_status updated to: None - Issue set to the milestone: 10.4 (was: UNTRIAGED)
Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.
Metadata Update from @mharmsen: - Issue set to the milestone: FUTURE (was: 10.4)
Metadata Update from @rpattath: - Issue set to the milestone: 0.0 NEEDS_TRIAGE (was: FUTURE)
Metadata Update from @mharmsen: - Issue priority set to: critical (was: major)
Per discussions in PKI Team Meeting of 20171130, it was determined that "automation" of tests for this specific issue would be delayed until 10.6.
Metadata Update from @mharmsen: - Issue set to the milestone: 10.6 (was: 0.0 NEEDS_TRIAGE)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2658
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.