#9353 certmonger helper renew_ca_cert does not set the P trust flag on the KRA audit certificate during renewal
Closed: fixed 8 months ago by rcritten. Opened 2 years ago by rcritten.

Issue

The CA and KRA audit certificates require the trusted peer (P) flag set. This is done for the CA but not for the KRA. It is a simple change to also include "auditSigningCert cert-pki-kra" in the nickname check.

In some cases certmonger may preserve the trust flags on renewal but for the case of storing certificates in tokens the trust is not set in the HSM token so there is nothing to restore.


Metadata Update from @rcritten:
- Issue tagged with: hsm

2 years ago

master:

  • cba3094 Support the certmonger nss-user option
  • e6078c6 Don't generate a cafile on HSM instalations
  • 34f28f0 Add token support to installer certificate handling
  • 73d52a6 Only generate kracert.p12 when not installing with HSM
  • e323470 Don't move KRA keys when key backup is disabled
  • f658a26 doc: Add token-password-file to HSM design, set new OID
  • d9efa72 Add LDAP attribute ipaCaHSMConfiguration to store HSM state
  • 82c0b19 Add HSM configuration options to installer scripts
  • a99091a Add attribute ipacahsmconfiguration to the "Read CAs" ACI
  • 7ad3b48 Update SELinux policy to allow certmonger to PKI config files
  • 9362200 Add token support to the renew_ca_cert certmonger helper
  • d0c489e If HSM is configured add the token name to config-show output
  • 0708f60 renew_ca_cert: skip removing non-CA certs, fix nickname
  • b89aa91 renew_ca_cert: set peer trust on the KRA audit certificate
  • 06a8791 tests: helper to copy files from one host to another
  • 36dbc6b ipatests: test software HSM installation with server & replica
  • 6b894f2 After installing a KRA, copy the updated token to other machines
  • 31d66ba Validate the HSM token library path and name during installation
  • c6dd21f Remove caSigningCert from list of certs to renew
  • 87ecca0 Add SELinux subpackage for nCipher nfast HSM support
  • f8798b3 Add SELinux subpackage for Thales Luna HSM support
  • 1ec875c ipatests: test software HSM installation with server & replica
  • b63103c tests: Fix failing test test_testconfig.py with missing token variables
  • c6f2d02 dogtag-ipa-ca-renew-agent-submit: expect certs to be on HSMs
  • 31fda79 Prompt for token password if not provided in replica/ipa-ca-install
  • b9ec2fb KRA: force OAEP for some HSM-based installations
  • ea0bf40 After an HSM replica install ensure all certs are visible
  • bcd8d2d Require certmonger 0.79.17+ for required HSM changes
  • 879a937 Include the HSM tests in the nightlies
  • 6b6c187 Call hsm_validator on KRA installs and validate the HSM password
  • c861ce5 Add SELinux module checking to hsm_validator
  • 6af8577 docs: Add a section on SELinux modules to the HSM design

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

8 months ago

Log in to comment on this ticket.

Metadata