#7147 RFE - IdM should not accept "invalid" CA and SSL server certificates in installer and updater
Opened 6 years ago by msauton. Modified 5 years ago

A RHEL-7.3 IdM system was updated to RHEL-7.4, and there are reports of SSL errors:

failed update on "ipactl restart" with error
"[SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1783)"

other related errors from httpd:
"SSL Library Error: -8172 Certificate is signed by an untrusted issuer"
"Bad remote server certificate: -8172"

The problem is CA certificate and SSL server certificate that have been used by RHEL-7.3 IdM before the RHEL-7.4 update are invalid:

A CA certificate has those extensions and signature algorithm:
"
Signed Extensions:
Name: Certificate Type
Data: <SSL CA,S/MIME CA,ObjectSigning CA>

        Name: Certificate Basic Constraints
        Critical: True
        Data: Is a CA with no maximum path length.

        Name: Certificate Key Usage
        Critical: True
        Usages: Digital Signature
                Non-Repudiation
                Certificate Signing

Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption

"

And a HTTPD SSL server cert has those extensions and signature algorithm:

"
Signed Extensions:
Name: Certificate Type
Data: <SSL Server>

        Name: Certificate Key Usage
        Usages: Key Encipherment

Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption

"

Both certs are invalid in PKI, and could NOT have been issued by Dogtag.
The CA cert was probably generated by OpenSSL.

We should add requirements on any third party or non IPA Dogtag issued certificate in IPA installer and updater, for certificate extensions that must be present before installing or updating an IdM master or replica.

Not doing so result in a severly broken IdM deployment, the CA must be renewed and deployed, then the server certificates must be renewed.

It may not be clear what is an invalid or valid CA or SSL server certificate, but we should make sure a minimum set of extensions are present to allow for a working PKI trust chain validation.

A CA cert should have:
- Certificate Authority Key Identifier
- Certificate Basic Constraints
Critical: True
a length
- Certificate Key Usage
Critical: True
Usages: Digital Signature
Non-Repudiation
Certificate Signing
CRL Signing
- Certificate Subject Key ID
- Authority Information Access
with method PKIX with oid 1.3.6.1.5.5.7.48.1 and a URI

A SSL sever cert should have:
- Certificate Authority Key Identifier
- Authority Information Access
with method PKIX with oid 1.3.6.1.5.5.7.48.1 and a URI
- Certificate Key Usage
Critical: True
Usages: Digital Signature
Non-Repudiation
Key Encipherment
Data Encipherment
- Extended Key Usage
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
- CRL Distribution Points with URI and "CRL issuer"
- Certificate Subject Key ID
and at least a signature algorithm with SHA-256 With RSA Encryption


Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7

6 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1489962

6 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

5 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Metadata Update from @rcritten:
- Issue tagged with: healthcheck

5 years ago

Login to comment on this ticket.

Metadata