In the file /etc/pki/default.cfg, the following appears:
# Paths # These are used in the processing of pkispawn and are not supposed # to be overwritten by user configuration files. # pki_source_emails=/usr/share/pki/ca/emails pki_source_flatfile_txt=%(pki_source_conf_path)s/flatfile.txt pki_source_profiles=/usr/share/pki/ca/profiles pki_source_proxy_conf=%(pki_source_conf_path)s/proxy.conf pki_source_registry_cfg=%(pki_source_conf_path)s/registry.cfg pki_source_admincert_profile=%(pki_source_conf_path)s/adminCert.profile pki_source_caauditsigningcert_profile=%(pki_source_conf_path)s/caAuditSigningCert.profile pki_source_cacert_profile=%(pki_source_conf_path)s/caCert.profile pki_source_caocspcert_profile=%(pki_source_conf_path)s/caOCSPCert.profile pki_source_servercert_profile=%(pki_source_conf_path)s/serverCert.profile pki_source_subsystemcert_profile=%(pki_source_conf_path)s/subsystemCert.profile pki_subsystem_emails_path=%(pki_subsystem_path)s/emails pki_subsystem_profiles_path=%(pki_subsystem_path)s/profiles
However, in order to correctly generate ECC certificates when using pkispawn, the following name=value pairs must be overridden in the specifed 'myconfig.txt' file:
. . . [CA] . . . # Attempt to override RSA profiles with ECC profiles pki_source_admincert_profile=/usr/share/pki/ca/conf/ECadminCert.profile pki_source_servercert_profile=/usr/share/pki/ca/conf/ECserverCert.profile pki_source_subsystemcert_profile=/usr/share/pki/ca/conf/ECsubsystemCert.profile
Presuming that all other specified ECC override values are correct, appropriate ECC certificates will be generated for the Admin, Server, and Subsystem certificates.
The problems that this ticket needs to address are the following:
Metadata Update from @mharmsen: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None - Issue priority set to: critical - Issue set to the milestone: 10.6
This bug is meant to address the workaround documented at the following URL:
Metadata Update from @mharmsen: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1550742
NOTE: https://pagure.io/dogtagpki/issue/2951 was closed as a duplicate of this issue.
Per 10.5.x/10.6 Triage: 10.5
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5 (was: 10.6)
Metadata Update from @mharmsen: - Issue assigned to mharmsen
Metadata Update from @cfu: - Issue assigned to cfu (was: mharmsen)
Implemented with new design: https://review.gerrithub.io/c/dogtagpki/pki/+/417084
commit 9a8e54ab9a8f1192c240639c42f8a744160a8ef8 (HEAD -> master, origin/master, origin/HEAD, ticket-2959-pkispawn-EC-profiles-master) Author: Christina Fu cfu@redhat.com Date: Wed Jun 27 15:04:57 2018 -0700
Ticket #2959 Address pkispawn ECC profile overrides This patch enables proper ECC profiles to be automatically applied during pkispawn. This patch would eliminate the need for the workaround documented here: http://www.dogtagpki.org/wiki/PKI_10.5_Pkispawn_ECC_Profile_Workaround The idea is to use the % replacement strings as part of the profile names in the default.cfg file for pkispawn, and change the profile names to mach the format. So for example: %(pki_admin_key_type)AdminCert.profile would either be translated to rsaAdminCert.profile or eccAdminCert.profile depending on the value in pki_admin_key_type fixes https://pagure.io/dogtagpki/issue/2959
Metadata Update from @cfu: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
A note has been added to the workaround wiki page to state the fact that it is no longer needed: http://www.dogtagpki.org/wiki/PKI_10.5_Pkispawn_ECC_Profile_Workaround#NOTE
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.5.10-1.fc27 - Issue set to the milestone: 10.5.10 (was: 10.5)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3077
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.