freeipa

Clone
Source Code
GIT

#7762 External CA renewal accepts IPA CA cert with empty Subject Key Identifier
Closed: fixed 5 years ago Opened 5 years ago by ftweedal.

Closed: fixed
Reopen Issue

(Based on https://bugzilla.redhat.com/show_bug.cgi?id=1641988)

External CA renewal, when changing from self-signed to externally-signed, accepts
an IPA CA certificate with empty Subject Key Identifier. This is technically legal in X.509,
but operationally it is highly problematic. Furthermore, due to a bug in Dogtag (https://pagure.io/dogtagpki/issue/3079) it will cause Dogtag startup failure.

Steps to Reproduce

  1. Use ipa-cacert-manage to switch from self-signed to external CA.
  2. Produce a CA certificate with empty SKI. See https://bugzilla.redhat.com/show_bug.cgi?id=1641988 for detailed steps.
  3. Complete the renewal.
  4. Observe: renewal completes, but Dogtag subsequently fails to start.

Expected behavior

Certificate with empty or absent Subject Key Identifier should be rejected.

Additional info:

This check should also be carried out in initial CA installation, if it is not already.

Metadata Update from @ftweedal:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1641988
5 years ago

Metadata Update from @ftweedal:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/2548
5 years ago

master:

  • d731f6f certdb: ensure non-empty Subject Key Identifier

ipa-4-7:

  • c7cc989 certdb: ensure non-empty Subject Key Identifier

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
5 years ago

master:

  • 146168d Check if issuer DN is updated after external-ca > self-signed

ipa-4-7:

  • fde6ef5 Check if issuer DN is updated after external-ca > self-signed

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/2548
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1641988
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.