Per rfc 5272, section 6.3.3 Renewal and Rekey Messages, renewal can be achieved by signing from a previously issued signing certificate.
This task should allow both signing and non-signing cmc renewal cert requests to be signed by a previously-issued signing certificate of the same subjectDN.
The server should be able to
Note: since the spec did not specifically embed any control to allow CA to tell if the request is a new request or renewal request (sometime it probably doesn't matter), we may have to have logic in the CA to find out
This task might be companioning task for https://pagure.io/dogtagpki/issue/2617 (same assignee is recommended)
Metadata Update from @mharmsen: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1419761
Metadata Update from @mharmsen: - Custom field component adjusted to General - Custom field feature adjusted to '' - Custom field origin adjusted to Community - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field type adjusted to defect - Custom field version adjusted to '' - Issue priority set to: 2
Metadata Update from @mharmsen: - Custom field component adjusted to CMC (was: General) - Custom field origin adjusted to RHCust (was: Community) - Custom field type adjusted to enhancement (was: defect)
Metadata Update from @cfu: - Issue assigned to cfu
commit 8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb Author: Christina Fu cfu@redhat.com Date: Fri May 19 11:55:14 2017 -0700
Ticket#2618 feature: pre-signed CMC renewal request This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate. The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint. UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten. The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
Metadata Update from @cfu: - Issue close_status updated to: fixed
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4.5 (was: 10.4)
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.4.7-1.fc27
Found an issue in UniqueKeyConstraint.java where the subjectDN matching fails to work. A working patching is about to be submitted.
Reopening this ticket.
Metadata Update from @cfu: - Issue status updated to: Open (was: Closed)
commit 2d69d9332eea7ddc5205dc9e44d15452be4be61f Author: Christina Fu cfu@redhat.com Date: Tue Jun 20 15:04:12 2017 -0700
Ticket #2618 UniqueKeyConstraint fix on subjectDN comparison
Metadata Update from @cfu: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4.9 (was: 10.4.5)
Metadata Update from @mharmsen: - Custom field fixedinversion reset (from pki-core-10.4.7-1.fc27)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2738
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.