dogtagpki

Clone
Source Code
GIT

#2873 p12 admin certificate is missing when certificate is signed Externally
Closed: fixed 7 years ago Opened 7 years ago by mharmsen.

Closed: fixed
Reopen Issue

gkapoor observed the following:

When OCSP certificate signed using ExternalCA installation output looks like:

==========================================================================

  Administrator's username:             ocspadmin

  Administrator's certificate nickname:
        ocspadmin
  Administrator's certificate database:
        /root/.dogtag/pki-tomcat/ocsp/alias

  To check the status of the subsystem:
        systemctl status pki-tomcatd@pki-tomcat.service

  To restart the subsystem:
        systemctl restart pki-tomcatd@pki-tomcat.service

  The URL for the subsystem is:
        https://pki1.example.com:8443/ocsp

  PKI instances will be enabled upon system boot

==========================================================================

Which clearly shows admin(*12) cert is missing.

https://github.com/dogtagpki/pki/blob/master/base/server/python/pki/server
/deployment/scriptlets/configuration.py#L1172

the process_admin_cert() is supposed to generate the p12 file, but it's only executed in standalone cases right now

This case is external, so it didn't get executed.

Steps to Reproduce:

Sign ocsp certificate in a 2 step process using http://pki.fedoraproject.org/wiki/Installing_OCSP_with_External_Certificates

Actual Results:

ocsp p12 admin cert is not getting generated

Expected Results:

ocsp p12 admin cert should get generated.

Metadata Update from @mharmsen:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1520526
- Custom field type adjusted to None
- Custom field version adjusted to None
7 years ago

I have some additional information to share while testing this:

Other Observations:

  1. Try to create p12 file using:

Get the ocsp.crt in base 64 format from EE page.

  1. pki -v -d /root/.dogtag/topology-OCSP-EX/ocsp/alias client-cert-import ocspadmin --cert ocsp.crt

Make sure ocspadmin cert has trust u,u,u.

certutil -L -d /root/.dogtag/topology-OCSP-EX/ocsp/alias

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

ocspadmin u,u,u

  1. pk12util -d /root/.dogtag/topology-OCSP-EX/ocsp/alias -n ocspadmin -o ocsp.p12

Import the cert in a p12 format.

  1. [root@pki1 test]# certutil -L -d .

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

CA Signing Certificate CT,C,C
RootCA CT,C,C
caadmin u,u,u
ocspadmin u,u,u
[root@pki1 test]# pki -d . -p 31080 -n ocspadmin ocsp-user-find
PKIException: Unauthorized
[root@pki1 test]# pki -v -d . -p 31080 -n ocspadmin ocsp-user-find
PKI options: -v -d .
PKI command: 31080 -p 31080 -n ocspadmin ocsp-user-find
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d . --verbose -p 31080 -n ocspadmin ocsp-user-find
Server URI: http://pki1.example.com:31080
Client security database: /root/test/.
Message format: null
Command: ocsp-user-find
Initializing security database
Module: ocsp
Initializing PKIClient
HTTP request: GET /pki/rest/info HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: pki1.example.com:31080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=37DF3C317171DAD1653548F0EB3E34EF; Path=/pki; HttpOnly
Content-Type: application/xml
Content-Length: 106
Date: Mon, 04 Dec 2017 19:04:08 GMT
HTTP request: GET /ocsp/rest/account/login HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: pki1.example.com:31080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 05:30:00 IST
Location: https://pki1.example.com:31443/ocsp/rest/account/login
Content-Length: 0
Date: Mon, 04 Dec 2017 19:04:08 GMT
HTTP redirect: https://pki1.example.com:31443/ocsp/rest/account/login
Client certificate: ocspadmin
HTTP request: GET /ocsp/rest/account/login HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: pki1.example.com:31443
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
Server certificate: CN=pki1.example.com,OU=topology-OCSP-EX,O=EXAMPLE
HTTP response: HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 05:30:00 IST
WWW-Authenticate: Basic realm="Online Certificate Status Protocol Manager"
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 951
Date: Mon, 04 Dec 2017 19:04:08 GMT
com.netscape.certsrv.base.PKIException: Unauthorized
at com.netscape.certsrv.client.PKIConnection.handleErrorResponse(PKIConnection.java:467)
at com.netscape.certsrv.client.PKIConnection.getEntity(PKIConnection.java:439)
at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:107)
at com.netscape.certsrv.account.AccountClient.login(AccountClient.java:46)
at com.netscape.certsrv.client.SubsystemClient.login(SubsystemClient.java:47)
at com.netscape.cmstools.cli.SubsystemCLI.login(SubsystemCLI.java:46)
at com.netscape.cmstools.cli.SubsystemCLI.execute(SubsystemCLI.java:64)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:631)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:667)
ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', '.', '--verbose', '-p', '31080', '-n', 'ocspadmin', 'ocsp-user-find']' returned non-zero exit status 255

Debug logs:

[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: PKIRealm: Authenticating certificate chain:
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: PKIRealm.getAuditUserfromCert: certUID=CN=PKI Administrator, EMAILADDRESS=ocspadmin@example.com, OU=topology-OCSP-EX, O=EXAMPLE
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: PKIRealm: CN=PKI Administrator, EMAILADDRESS=ocspadmin@example.com, OU=topology-OCSP-EX, O=EXAMPLE
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: CertUserDBAuth: started
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: CertUserDBAuth: Retrieving client certificate
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: CertUserDBAuth: Got client certificate
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: Authentication: client certificate found
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: In LdapBoundConnFactory::getConn()
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: masterConn is connected: true
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: getConn: conn is connected true
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: getConn: mNumConns now 2
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: returnConn: mNumConns now 3
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: CertUserDBAuthentication: cannot map certificate to any userUser not found
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: SignedAuditLogger: event AUTH
[05/Dec/2017:00:38:57][http-bio-31443-exec-17]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED

** Note:

Generally we see Subsystem certificates under CA(ou=people,o=topology-02-CA-CA) for various subsystems like:

DN: uid=OCSP-pki1.example.com-22443
2;9;CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org;CN=Subsystem Certificate,OU=topology-02-OCSP,O=topology-02_Foobarmaster.org

DN: uid=TKS-pki1.example.com-23443,ou=people,o=topology-02-CA-CA

2;19;CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org;CN=Subsystem Certificate,OU=topology-02-TKS,O=topology-02_Foobarmaster.org

With ExternalCA:

Couldn't find such entries for External OCSP.

Metadata Update from @edewata:
- Issue priority set to: blocker (was: critical)
7 years ago
Edited 7 years ago by edewata

Metadata Update from @edewata:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
7 years ago

Metadata Update from @mharmsen:
- Issue assigned to edewata
- Issue set to the milestone: 10.5.4 (was: 10.5)
7 years ago

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.5.4-1.fc27
7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2992

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Log in to comment on this ticket.

Metadata
None
None
None
blocker
None
None
None
None
None
None
None
None
None
None
pki-core-10.5.4-1.fc27
None
None
None
None
None
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.