freeipa

Clone
Source Code
GIT

#7761 External CA renewal accepts issuer key < 2048-bit
Closed: fixed 4 years ago Opened 4 years ago by ftweedal.

Closed: fixed
Reopen Issue

Issue

External CA renewal, when changing from self-signed to externally-signed, accepts
a certificate chain where the issuer certificate has a < 2048-bit key. The certificate
is accepted and imported, but this leads to failure to initialise Dogtag because NSS
refuses to validate the CA certificate.

Steps to Reproduce

  1. Use ipa-cacert-manage to switch from self-signed to external CA.
  2. Sign with a 1024-bit CA. Complete the renewal.
  3. Observe: renewal completes, but Dogtag subsequently fails to start.

Expected behavior

Cert chain with 1024-bit CAs should be rejected.

Additional info:

This check should also be carried out in initial CA installation, if it is not already.

Related to that, do we need a check for SHA-1 signatures, too?

I'll check... the certutil -V check should catch issues like this, but it is not catching the
1024-bit keys so there might be more checks needed.

master:

  • a2a293e Print correct subject on CA cert verification failure
  • 61e1d7a certdb: validate certificate signatures

ipa-4-7:

  • b8a1ca0 Print correct subject on CA cert verification failure
  • 1c7e179 certdb: validate certificate signatures

Metadata Update from @ftweedal:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
4 years ago

ipa-4-7:

  • c2ae638 certdb: validate server cert signature

master:

  • 13917dd certdb: validate server cert signature

master:

  • f9b2228 add test for external CA key size sanity check

ipa-4-7:

  • c34819c add test for external CA key size sanity check

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.