#2959 Address ECC profile overrides
Closed: fixed 4 years ago Opened 4 years ago by mharmsen.

In the file /etc/pki/default.cfg, the following appears:

# Paths
# These are used in the processing of pkispawn and are not supposed
# to be overwritten by user configuration files.
#
pki_source_emails=/usr/share/pki/ca/emails
pki_source_flatfile_txt=%(pki_source_conf_path)s/flatfile.txt
pki_source_profiles=/usr/share/pki/ca/profiles
pki_source_proxy_conf=%(pki_source_conf_path)s/proxy.conf
pki_source_registry_cfg=%(pki_source_conf_path)s/registry.cfg
pki_source_admincert_profile=%(pki_source_conf_path)s/adminCert.profile
pki_source_caauditsigningcert_profile=%(pki_source_conf_path)s/caAuditSigningCert.profile
pki_source_cacert_profile=%(pki_source_conf_path)s/caCert.profile
pki_source_caocspcert_profile=%(pki_source_conf_path)s/caOCSPCert.profile
pki_source_servercert_profile=%(pki_source_conf_path)s/serverCert.profile
pki_source_subsystemcert_profile=%(pki_source_conf_path)s/subsystemCert.profile
pki_subsystem_emails_path=%(pki_subsystem_path)s/emails
pki_subsystem_profiles_path=%(pki_subsystem_path)s/profiles

However, in order to correctly generate ECC certificates when using pkispawn, the following name=value pairs must be overridden in the specifed 'myconfig.txt' file:

. . .
[CA]
. . .
# Attempt to override RSA profiles with ECC profiles
pki_source_admincert_profile=/usr/share/pki/ca/conf/ECadminCert.profile
pki_source_servercert_profile=/usr/share/pki/ca/conf/ECserverCert.profile
pki_source_subsystemcert_profile=/usr/share/pki/ca/conf/ECsubsystemCert.profile

Presuming that all other specified ECC override values are correct, appropriate ECC certificates will be generated for the Admin, Server, and Subsystem certificates.

The problems that this ticket needs to address are the following:

  • the /etc/pki/default.cfg file comment needs to be updated to express that these values must be overridden when specifying ECC certificates
  • the section entitled 'Installing a root CA using ECC' in the pkispawn man page should be updated to reflect the need for these name=value pairs to be overridden
  • the logic should be updated such that these values are not renamed in their instance destination located at /etc/pki/<instance>/ca (adminCert.profile, serverCert.profile, and subsystemCert.profile)
  • once this logic is changed, the confusion caused by seeing different original names and destination names should be eliminated
  • the workaround Wiki document entitled 'PKI 10.5 Pkispawn ECC Profile Workaround' can be removed

Metadata Update from @mharmsen:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
- Issue priority set to: critical
- Issue set to the milestone: 10.6

4 years ago

This bug is meant to address the workaround documented at the following URL:

Metadata Update from @mharmsen:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1550742

4 years ago

Per 10.5.x/10.6 Triage: 10.5

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5 (was: 10.6)

4 years ago

Metadata Update from @mharmsen:
- Issue assigned to mharmsen

4 years ago

Metadata Update from @cfu:
- Issue assigned to cfu (was: mharmsen)

4 years ago

commit 9a8e54ab9a8f1192c240639c42f8a744160a8ef8 (HEAD -> master, origin/master, origin/HEAD, ticket-2959-pkispawn-EC-profiles-master)
Author: Christina Fu cfu@redhat.com
Date: Wed Jun 27 15:04:57 2018 -0700

Ticket #2959 Address pkispawn ECC profile overrides

This patch enables proper ECC profiles to be automatically applied during
pkispawn.

This patch would eliminate the need for the workaround documented here:
http://www.dogtagpki.org/wiki/PKI_10.5_Pkispawn_ECC_Profile_Workaround

The idea is to use the % replacement strings as part of the profile names
in the default.cfg file for pkispawn,
and change the profile names to mach the format. So for example:

%(pki_admin_key_type)AdminCert.profile

would either be translated to rsaAdminCert.profile or eccAdminCert.profile
depending  on the value in pki_admin_key_type

fixes https://pagure.io/dogtagpki/issue/2959

Metadata Update from @cfu:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago

A note has been added to the workaround wiki page to state the fact that it is no longer needed: http://www.dogtagpki.org/wiki/PKI_10.5_Pkispawn_ECC_Profile_Workaround#NOTE

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.5.10-1.fc27
- Issue set to the milestone: 10.5.10 (was: 10.5)

4 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/3077

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata