Created attachment 1624294 [details] rootCA_debug_log
Description of problem: Clone CA Server Cert not reflecting complete inserted SAN in its server cert which is clone of RootCA has 5 SAN in server certificate and only showing 4 SAN in clone ssl server certificate.
Version-Release number of selected component (if applicable): pki-ca-10.5.16-5.el7_7.noarch
How reproducible: Always
Steps to Reproduce: 1. Make SAN changes in /usr/share/pki/ca/conf/rsaServerCert.profile 1.1 Add 8 in list=2,4,5,6,7,8 1.2 Add below SAN params in 8th Section:
8.default.class=com.netscape.cms.profile.def.SubjectAltNameExtDefault 8.default.name=Subject Alternative Name Defaults 8.default.params.subjAltNameExtCritical=true 8.default.params.subjAltNameNumGNs=5 8.default.params.subjAltExtGNEnable_0=true 8.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$ 8.default.params.subjAltExtType_0=DNSName 8.default.params.subjAltExtGNEnable_1=true 8.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$ 8.default.params.subjAltExtType_1=DNSName 8.default.params.subjAltExtGNEnable_2=true 8.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$ 8.default.params.subjAltExtType_2=DNSName 8.default.params.subjAltExtGNEnable_3=true 8.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$ 8.default.params.subjAltExtType_3=DNSName 8.default.params.subjAltExtGNEnable_4=true 8.default.params.subjAltExtPattern_4=$request.req_san_pattern_4$ 8.default.params.subjAltExtType_4=DNSName
policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl policyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$ policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=true policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$ policyset.serverCertSet.9.default.params.subjAltExtType_1=DNSName policyset.serverCertSet.9.default.params.subjAltExtGNEnable_2=true policyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$ policyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName policyset.serverCertSet.9.default.params.subjAltExtGNEnable_3=true policyset.serverCertSet.9.default.params.subjAltExtPattern_3=$request.req_san_pattern_3$ policyset.serverCertSet.9.default.params.subjAltExtType_3=DNSName policyset.serverCertSet.9.default.params.subjAltExtGNEnable_4=true policyset.serverCertSet.9.default.params.subjAltExtPattern_4=$request.req_san_pattern_4$ policyset.serverCertSet.9.default.params.subjAltExtType_4=DNSName policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false policyset.serverCertSet.9.default.params.subjAltNameNumGNs=5
3.Install RootCA with SAN
# cat ca.cfg [DEFAULT] pki_instance_name = topology-02-CA pki_https_port = 20443 pki_http_port = 20080 pki_token_password = SECret.123 pki_admin_password = SECret.123 pki_admin_key_type=rsa pki_admin_key_size=2048 pki_admin_key_algorithm=SHA512withRSA pki_hostname = pki1.example.com pki_security_domain_name = topology-02_Foobarmaster.org pki_security_domain_password = SECret.123 pki_security_domain_https_port=20443 pki_client_dir = /opt/topology-02-CA pki_client_pkcs12_password = SECret.123 pki_backup_keys = True pki_backup_password = SECret.123 pki_ds_password = SECret.123 pki_ds_ldap_port = 389 pki_san_inject=True pki_san_for_server_cert=pki1.example.com,redacted_serverb,redacted_serverb.domain,redacted_servera,redacted_servera.domain pki_sslserver_key_algorithm=SHA512withRSA pki_sslserver_key_size=2048 pki_sslserver_key_type=rsa pki_subsystem_key_type=rsa pki_subsystem_key_size=2048 pki_subsystem_key_algorithm=SHA512withRSA pki_audit_signing_key_algorithm=SHA512withRSA pki_audit_signing_key_size=2048 pki_audit_signing_key_type=rsa pki_audit_signing_signing_algorithm=SHA512withRSA [Tomcat] pki_ajp_port = 20009 pki_tomcat_server_port = 20005 [CA] pki_import_admin_cert = False pki_ds_hostname = pki1.example.com pki_admin_nickname = PKI CA Administrator for Example.Org pki_ca_signing_key_algorithm=SHA512withRSA pki_ca_signing_key_size=2048 pki_ca_signing_key_type=rsa pki_ca_signing_signing_algorithm=SHA512withRSA pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=2048 pki_ocsp_signing_key_type=rsa pki_ocsp_signing_signing_algorithm=SHA512withRSA # pkispawn -s CA -f ca.cfg -vv
# certutil -L -d /var/lib/pki/topology-02-CA/alias/ -n "Server-Cert cert-topology-02-CA" Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Fo obarmaster.org" Validity: Not Before: Wed Oct 09 12:54:37 2019 Not After : Tue Sep 28 12:54:37 2021 Subject: "CN=pki1.example.com,OU=topology-02-CA,O=topology-02_Foobarm aster.org" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: ba:30:7f:4a:fe:6a:88:f2:8b:90:76:f0:52:f7:07:04: 2b:b9:a7:4c:85:19:ae:8e:e2:9d:43:42:4b:6c:90:d9: bc:8c:de:77:7b:95:e8:f3:e3:9b:38:35:42:ca:5c:b5: ca:77:43:cc:1d:3b:b4:bc:ea:3a:9f:6f:56:0a:8d:a6: 8d:02:e8:61:8c:eb:ae:68:67:2b:41:14:be:2f:cb:00: 98:49:2b:e8:59:f0:4b:a2:d1:17:76:cf:d7:e7:d9:3d: 50:d8:8a:f1:e8:2b:d6:33:59:ef:5c:ce:5e:ed:ca:ba: 99:26:34:46:b5:e2:ea:ee:13:7f:b8:07:ea:f6:50:ca: ee:f2:af:81:73:e1:52:32:cd:00:f8:c3:e5:20:31:0a: 4b:05:f6:9f:ad:75:7c:4a:68:e6:8f:f9:ec:71:9b:bb: b7:90:94:e7:07:dd:96:3c:32:9d:cd:76:38:20:2f:df: 4c:f6:a8:33:f1:6f:fe:07:ed:f8:79:0e:31:83:40:25: 84:5a:97:84:39:85:5a:dd:38:36:2a:bc:f4:5f:be:34: 1b:49:aa:df:5b:55:c2:1e:00:e3:aa:e0:d8:7c:0e:6e: 41:72:57:32:5c:e1:a0:df:10:63:93:35:46:61:27:90: 5d:6f:9c:47:46:b4:e6:72:d5:66:c2:70:3c:8e:86:d5 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 82:d7:27:7c:3d:bf:57:71:57:9a:e1:b7:4f:2b:d4:64: 28:aa:f2:79 Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://pki1.example.com:20080/ca/ocsp" Name: Certificate Key Usage Critical: True Usages: Digital Signature Key Encipherment Data Encipherment Name: Extended Key Usage TLS Web Server Authentication Certificate Name: Certificate Subject Alt Name Critical: True DNS name: "pki1.example.com" DNS name: "redacted_serverb" DNS name: "redacted_serverb.domain" DNS name: "redacted_servera" DNS name: "redacted_servera.domain"
5.Execute ca-clone-prepare and get p12 file then copy it to clone machine
# pki-server ca-clone-prepare -i topology-02-CA --pkcs12-file /tmp/caclone.p12 --pkcs12-password SECret.123 ----------------------------------------------------- Added certificate "subsystemCert cert-topology-02-CA" ----------------------------------------------------- -------------------------------------------------------- Added certificate "caSigningCert cert-topology-02-CA CA" -------------------------------------------------------- ---------------------------------------------------------- Added certificate "ocspSigningCert cert-topology-02-CA CA" ---------------------------------------------------------- ----------------------------------------------------------- Added certificate "auditSigningCert cert-topology-02-CA CA" -----------------------------------------------------------
6.Install clone with same SAN changes as in Master:
# cat clone.cfg [DEFAULT] pki_instance_name = topology-02-CA-clone pki_https_port = 22080 pki_http_port = 22443 pki_token_password = SECret.123 pki_admin_password = SECret.123 pki_hostname = pki2.example.com pki_security_domain_hostname = pki1.example.com pki_security_domain_password = SECret.123 pki_security_domain_https_port = 20443 pki_security_domain_post_login_sleep_seconds=5 pki_security_domain_name=topology-02_Foobarmaster.org pki_client_dir = /opt/topology-02-CA-clone pki_client_pkcs12_password = SECret.123 pki_client_database_password = SECret.123 pki_ds_password = SECret.123 pki_ds_ldap_port = 3389 pki_san_inject=True pki_san_for_server_cert=pki1.example.com,redacted_serverb,redacted_serverb.domain, redacted_servera,redacted_servera.domain [Tomcat] pki_ajp_port = 22009 pki_tomcat_server_port = 22005 [CA] pki_clone=True pki_clone_pkcs12_password=SECret.123 pki_clone_pkcs12_path=/tmp/caclone.p12 pki_import_admin_cert = False pki_admin_nickname= ca_clone pki_ds_hostname = pki2.example.com pki_ds_base_dn=o=topology-02-CA-CA pki_ds_database=ca-clone pki_clone_replication_master_port=389 pki_clone_replication_clone_port=3389 pki_clone_replicate_schema=True pki_clone_uri=https://pki1.example.com:20443 pki_ca_signing_nickname=caSigningCert cert-topology-02-CA CA pki_ocsp_signing_nickname=ocspSigningCert cert-topology-02-CA CA pki_audit_signing_nickname=auditSigningCert cert-topology-02-CA CA pki_subsystem_nickname=subsystemCert cert-topology-02-CA # pkispawn -s CA -f clone.cfg -vv
7.Installation happend successfully with reflected SAN in its server cert.
[root@pki2 ~]# certutil -L -d /var/lib/pki/topology-02-CA-clone/alias/ -n "Server-Cert cert-topology-02-CA-clone" Certificate: Data: Version: 3 (0x2) Serial Number: 8 (0x8) Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption Issuer: "CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Fo obarmaster.org" Validity: Not Before: Wed Oct 09 13:01:40 2019 Not After : Tue Sep 28 13:01:40 2021 Subject: "CN=pki2.example.com,OU=topology-02-CA-clone,O=topology-02_F oobarmaster.org" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d8:3c:67:43:a3:d9:a3:d2:94:a2:97:a1:2e:b2:4f:b0: 70:75:57:99:38:15:64:51:1f:54:1e:df:c1:96:ec:f9: 01:37:92:e7:69:28:09:44:e3:d2:22:69:d1:cd:36:d5: 90:70:e0:04:e3:ed:d8:32:43:ed:68:23:14:ca:5a:74: ae:3d:67:95:12:4c:45:e8:e1:7e:85:71:ef:23:5c:34: d1:4e:ce:4e:02:b4:63:c4:21:f4:b2:c0:16:cb:df:c7: 4e:fb:92:a1:6a:5f:d7:fc:39:86:0e:ff:97:5a:c7:65: ce:90:a4:d2:39:12:54:b9:a4:6e:dd:95:dc:a9:79:10: 44:27:04:25:8a:33:f7:63:1c:ba:b1:9a:7d:0a:0b:62: bf:17:aa:61:62:46:f6:b3:6a:b1:22:52:c9:3e:c9:88: d1:97:23:9e:26:5e:d6:f4:f8:be:f9:24:c6:e7:f4:63: a7:d8:46:79:6a:1a:3e:88:94:b6:f8:10:2e:c5:76:ef: a4:d8:a8:74:15:90:81:7a:83:69:a6:66:a1:f8:85:36: 1b:05:bf:5f:d2:3c:a5:72:b1:22:51:eb:0f:f6:f9:ea: 7c:f4:eb:e0:9e:94:f3:21:62:a0:ea:e3:fe:3a:c6:63: 58:df:c6:46:80:05:0f:7c:ed:81:2e:0b:ed:4b:49:51 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 82:d7:27:7c:3d:bf:57:71:57:9a:e1:b7:4f:2b:d4:64: 28:aa:f2:79 Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://pki1.example.com:20080/ca/ocsp" Name: Certificate Key Usage Critical: True Usages: Digital Signature Key Encipherment Data Encipherment Name: Extended Key Usage TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: Certificate Subject Alt Name DNS name: "pki1.example.com" DNS name: "redacted_serverb" DNS name: "redacted_serverb.domain" DNS name: "redacted_servera"
Actual results:
Seen that RootCA server cert has 5 DNS name entry in its SAN and cloning with SAN extension is successful but clone CA's SSL server certificate is issued with 4 DNS name entry in its SAN extension.
Expected results: It should result in replication of 5 DNS name entry in clone CA server cert as per the injected SAN.
Proof of concept: Please find the RootCA debug log and profiles config attached.
Additional info:
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1743122#c16
https://bugzilla.redhat.com/show_bug.cgi?id=1760365
Metadata Update from @cipherboy: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1760365 - Custom field type adjusted to None - Custom field version adjusted to None
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3262
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.