#8532 Revise PKINIT upgrade code
Closed: fixed a year ago by rcritten. Opened 2 years ago by abbra.

I am reading through PKINIT upgrade and setup code and I think we have logical bug in ipa-pkinit-manage and in the upgrade code:
1. ipa-pkinit-manage never calls krbinstance's setup_pkinit() on enable, so we are never able to enable the certificate issuance through it even though we are able to disable one
2. upgrade code only allows to issue self-signed certificates if certificates are missing

as a result, there is no way to upgrade from self-signed to CA-based and the way it is done, even if you'd do reissue, the issuer will still be left cn=<hostname>, without EKUs we need, so it will not work for web UI logon FAST wrapping.

We have to reissue cert properly and there is nothing that would do it -- as nothing calls into krb instance's setup_pkinit().

a manual fix is to force reissue of the PKINIT certificate against the right CA with right issuer and EKUs:

ipa-getcert rekey -f /var/kerberos/krb5kdc/kdc.crt -U id-kp-serverAuth -U id-pkinit-KPKdc -K krbtgt/IPA.TEST@IPA.TEST -T KDCs_PKINIT_Certs -X IPA

but we need to revise upgrade code and ipa-pkinit-manage to make sure we are taking care of the conversion of 'bogus' PKINIT certificate to the correct one, whether self-signed or IPA CA.


Metadata Update from @pcech:
- Issue priority set to: important

2 years ago

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1886837

a year ago

master:

  • 50306cc Allow PKINIT to be enabled when updating from a pre-PKINIT IPA CA server

ipa-4-6:

  • 16ee41b Allow PKINIT to be enabled when updating from a pre-PKINIT IPA CA server

ipa-4-9:

  • 7bed7e4 Allow PKINIT to be enabled when updating from a pre-PKINIT IPA CA server

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata