| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch supports CMC-based system certificate requests.
This patch contains the following:
* The code in CMCAuth (agent-based) to check ssl client auth cert against the CMC signing cert
* The cmc-based system enrollment profiles:
caCMCauditSigningCert.cfg
caCMCcaCert.cfg
caCMCkraStorageCert.cfg
caCMCkraTransportCert.cfg
caCMCocspCert.cfg
caCMCserverCert.cfg
caCMCsubsystemCert.cfg
* new URI's in web.xml as new access points
Usage example can be found here:
http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29
|
| |
|
|
|
|
|
| |
This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten.
The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
|
| |
|
|
|
|
| |
proof
This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch provides implementation that allows user-signed CMC requests
to be processed; The resulting certificate will bear the same subjectDN
as that of the signing cert;
The new uri to access is /ca/ee/ca/profileSubmitUserSignedCMCFull
where the new profile is to be used: caFullCMCUserSignedCert.cfg
which utilizes the new authentication plugin: CMCUserSignedAuth
and new profile default plugin: CMCUserSignedSubjectNameDefault
and new profile constraint plugin: CMCUserSignedSubjectNameConstraint
|
| |
|
|
|
|
|
|
|
|
|
|
| |
appropriate 'pki' man page
This fix will involve the following changes to the source tree.
1. Fixes to the CS.cfg to add two new cert profiles.
2. Make the caDualCert.cfg profile invisible since it has little chance of
working any more in Firefox.
3. Create caSigningUserCert.cfg and caSigningECUserCert.cfg to allow the CLI
to have convenient profiles from which to enroll signing ONLY certificates.
|
| |
|
|
| |
This patch adds support for SHA384withRSA signing algorithm.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
part 2 of: https://fedorahosted.org/pki/ticket/2298 [non-TMS] for key archival/recovery, not to record certain data in ldap and logs
This patch allows one to exclude certain ldap attributes from the enrollment records for crmf requests
(both CRMF, and CMC CRMF). The following are the highlights:
* CRMF Manual approval profile is disabled: caDualCert.cfg
- If excludedLdapAttrs.enabled is true, then this profile will not work, as the crmf requests (by default it is false)
are not written to ldap record for agents to act on
* excludedLdapAttrs.attrs can be used to configure the attribute list to be excluded
* a new CRMF "auto approval" (directory based, needs to be setup) is provided
* if excludedLdapAttrs.enabled is true (in both ca and kra), the following fields are not written to the ldap record in case of CRMF:
(note: the code deliberately use literal strings on purpose for the reason that the exact literal strings need to be spelled out
in excludedLdapAttrs.attrs if the admin chooses to override the default)
"req_x509info",
"publickey",
"req_extensions",
"cert_request",
"req_archive_options",
"req_key"
* Because of the above (possible exclusion of cert requests in record, profiles
that require agent manual approval will no longer function in the case that
excludedLdapAttrs.enabled is true
* a sleepOneMinute() method is added for debugging purpose. It is not called in the final code, but is left there for future debugging purpose
* code was fixed so that in KRA request will display subject name even though the x509info is missing from request
* cmc requests did not have request type in records, so they had to be added for differentiation
The following have been tested:
* CRMF auto enroll
* CRMF manual enroll/approval
* CMC-CRMF enroll
* both CA and KRA internal ldap are examined for correct data exclusion
Note: CRMF could potentially not include key archival option, however, I am not going to differentiate them at the moment. An earlier prototype I had built attempted to do that and the signing cert's record isn't excluded for attrs write while it's CRMF request is the same as that of its encryption cert counterpart within the same request. Due to this factor (multiple cert reqs with the same request blob), I am treating them the same for exclusion.
|
| |
|
|
|
|
|
|
| |
Some certificate profiles have been modified to remove the default
one minute validity delay, allowing the certificate issued with
those profiles to be used immediately.
https://fedorahosted.org/pki/ticket/2304
|
| |
|
|
|
|
| |
This patch changes the relevant CA enrollment admin profiles so that they accept
requests for EC certs. The issue actually not just affected KRA, it also affected
other non-CA subsystems.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Usage:
* under /usr/share/pki/ca/conf, you will find a new file called
serverCert.profile.exampleWithSANpattern
* copy existing serverCert.profile away and replace with
serverCert.profile.exampleWithSANpattern
* edit serverCert.profile.exampleWithSANpattern
- follow the instruction right above 8.default.
- save and quit
* cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg
- follow the instruction right above policyset.serverCertSet.9
- save and quit
* save away and edit the ca config file for pkispawn: (note: you can
add multiple SAN's delimited by ',' for pki_san_server_cert
- add the following lines, e.g.
pki_san_inject=True
pki_san_server_cert=host1.Example.com
- do the same pkispawn cfg changes for kra or any other instances
that you plan on creating
* create your instance(s)
check the sl sever cert, it should contain something like the
following:
Identifier: Subject Alternative Name - 2.5.29.17
Critical: no
Value:
DNSName: host1.Example.com
|
| | |
|
| |
|
|
|
|
| |
TPS-rewrite effort):
http://pki.fedoraproject.org/wiki/TPS_-_New_Recovery_Option:_External_Registration_DS
|
| |
|
|
|
|
|
|
| |
This patch provides authentication plugin avoiding anonymous access.
Steps to use the plugin:
https://wiki.idm.lab.bos.redhat.com/export/idmwiki/New_Directory_Authentication_Plugin
BZ 861467/ Trac #348.
|
| |
|
|
|
| |
Should now be SHA256 by default.
Bugzilla BZ 1024445
|
| |
|
|
| |
* TRAC Ticket #667 - provide option for ca-less drm install
|
| |
|
|
|
|
| |
This patch provides new profile to support CA cross signing enrollment.
Ticket #681
|
| |
|
|
|
|
| |
This patch adds new directory and pin profile.
Bug: 961522
|
| | |
|
| | |
|
| |
|
|
| |
Trac Ticket #466
|
| |
|
|
|
| |
* TRAC Ticket #333 - Increase audit cert renewal range to 2 years
* Bugzilla Bug #843979 - Increase audit cert renewal range to 2 years
|
| |
|
|
|
|
| |
This patch adds ECC directory enrollment profile.
Bug: 748514.
|
|
|
Previously the source code was located inside a pki folder.
This folder was created during svn migration and is no longer
needed. This folder has now been removed and the contents have
been moved up one level.
Ticket #131
|
