Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Admin certificate (ca_admin_cert.p12) not updated correctly in multiple CA installations #4936

Closed
PsOverflow opened this issue Jan 24, 2025 · 1 comment
Closed

Admin certificate (ca_admin_cert.p12) not updated correctly in multiple CA installations #4936

PsOverflow opened this issue Jan 24, 2025 · 1 comment
Assignees
@edewata
Labels
Bug Bug fixes downstream Same issue identified in downstream automation and needs triage regression Regression bug. Introduced due to changes in unrelated code

Comments

@PsOverflow
Copy link
Contributor

Issue: Admin certificate (ca_admin_cert.p12) not updated correctly in multiple CA installations

Affected Version:
OS: Fedora-41
Build: @pki/master
pki-11.6.0-0.3.alpha3.20250123224917UTC.2f8e9573.fc41.src.rpm

Steps to reproduce:

  1. Install CA:
Tomcat:
  Instance [pki-tomcat]: 
  HTTP port [8080]: 
  Secure HTTP port [8443]: 
  AJP port [8009]: 
  Management port [8005]: 

Administrator:
  Username [caadmin]: 
  Password: 
  Verify password: 
  Import certificate (Yes/No) [N]? 
  Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: 

Directory Server:
  Hostname [pki1.example.com]: 
  Use a secure LDAPS connection (Yes/No/Quit) [N]? 
  LDAP Port [389]: 
  Bind DN [cn=Directory Manager]: 
  Password: 
  Password: 
  Base DN [o=pki-tomcat-CA]: 

Security Domain:
  Name [example.com Security Domain]: 

Begin installation (Yes/No/Quit)? yes
  1. Notice the timestamp and generated ca_admin_cert.p12 file:
# ls -l /root/.dogtag/pki-tomcat/ca_admin_cert.p12
-rw-------. 1 root root 2988 Jan 24 08:07 /root/.dogtag/pki-tomcat/ca_admin_cert.p12
  1. Uninstall the CA:
# pkidestroy -s CA -i pki-tomcat --remove-logs --remove-conf --force
Loading deployment configuration from /var/lib/pki/pki-tomcat/ca/registry/ca/deployment.cfg.
WARNING: The 'pki_ds_hostname' in [CA] has been deprecated. Use 'pki_ds_url' instead.
WARNING: The 'pki_ds_ldap_port' in [CA] has been deprecated. Use 'pki_ds_url' instead.
Uninstalling CA from /var/lib/pki/pki-tomcat.

Uninstallation complete.
  1. Admin certificate is not removed and It's still there in same path:
# ls -l /root/.dogtag/pki-tomcat/ca_admin_cert.p12
-rw-------. 1 root root 2988 Jan 24 08:07 /root/.dogtag/pki-tomcat/ca_admin_cert.p12
  1. Re-install the CA:
Tomcat:
  Instance [pki-tomcat]: 
  HTTP port [8080]: 
  Secure HTTP port [8443]: 
  AJP port [8009]: 
  Management port [8005]: 

Administrator:
  Username [caadmin]: 
  Password: 
  Verify password: 
  Import certificate (Yes/No) [N]? 
  Export certificate to [/root/.dogtag/pki-tomcat/ca_admin.cert]: 

Directory Server:
  Hostname [pki1.example.com]: 
  Use a secure LDAPS connection (Yes/No/Quit) [N]? 
  LDAP Port [389]: 
  Bind DN [cn=Directory Manager]: 
  Password: 
  Base DN [o=pki-tomcat-CA]: 
  Base DN already exists. Overwrite (Yes/No/Quit)? yes

Security Domain:
  Name [example.com Security Domain]: 

Begin installation (Yes/No/Quit)? yes

Installing CA into /var/lib/pki/pki-tomcat.
  1. Even with new installations, admin certificate is not updated:
# ls -l /root/.dogtag/pki-tomcat/ca_admin_cert.p12
-rw-------. 1 root root 2988 Jan 24 08:07 /root/.dogtag/pki-tomcat/ca_admin_cert.p12

Expected Result:

When deploying Multiple CA instances, the admin certificate should be properly updated/generate anew.
@PsOverflow PsOverflow added Bug Bug fixes regression Regression bug. Introduced due to changes in unrelated code downstream Same issue identified in downstream automation and needs triage labels Jan 24, 2025
edewata added a commit to edewata/pki that referenced this issue Feb 5, 2025
@edewata
Fix ca_admin_cert.p12
2023413 
Normally when installing a CA the admin cert will be stored in
~/.dogtag/<instance>/ca_admin_cert.p12. If the CA is removed
the file is not automatically removed since it's owned by the
admin user and might be used again in the future.

Previously, if the CA was reinstalled with a new CA signing cert
pkispawn would import the ca_admin_cert.p12 if it exists, but the
admin cert would be unusable since it's issued by the old CA.

To address the problem pkispawn has been modified to validate
the provided admin cert and halt the installation if the cert is
invalid (e.g. issued by unknown CA). The admin user will be
responsible to remove the invalid cert then run pkispawn again.

The test for installing CA with existing config has been updated
to reinstall the CA with new system certs but with an old admin
cert in ca_admin_cert.p12 (which should fail), remove the old
admin cert, then reinstall the CA again so it will generate a
new admin cert (which should work).

Resolves: dogtagpki#4936
edewata added a commit to edewata/pki that referenced this issue Feb 5, 2025
@edewata
Fix ca_admin_cert.p12
06afa62 
Normally when installing a CA the admin cert will be stored in
~/.dogtag/<instance>/ca_admin_cert.p12. If the CA is removed
the file is not automatically removed since it's owned by the
admin user and might be used again in the future.

Previously, if the CA was reinstalled with a new CA signing cert
pkispawn would import the ca_admin_cert.p12 if it exists, but the
admin cert would be unusable since it's issued by the old CA.

To address the problem the admin user will be required to remove
the invalid cert then run pkispawn again.

The test for installing CA with existing config has been updated
to reinstall the CA with new system certs but with an old admin
cert in ca_admin_cert.p12 (which should fail), remove the old
admin cert, then reinstall the CA again so it will generate a
new admin cert (which should work).

Resolves: dogtagpki#4936
@edewata edewata self-assigned this Feb 7, 2025
@edewata
Copy link
Contributor

edewata commented Feb 7, 2025
edited
Loading

In general pkispawn should not automatically remove/replace any file under user's home directory including /root/.dogtag/pki-tomcat/ca_admin_cert.p12 since the user might still need it for other purposes. So pkispawn has been changed to validate the admin cert specified in the PKCS #12 file. If it is issued by the CA being installed (e.g. installing CA with existing certs) then the admin cert will be imported and the installation will continue as usual. If it is not issued by the CA being installed (e.g. wrong path in pki_client_admin_cert_p12 param, or left over from a previous installation) pkispawn will fail with a message like this:

...
ERROR: Invalid certificate: Unable to validate certificate signature: CN=PKI Administrator,[email protected],OU=localhost,O=EXAMPLE

Installation failed: Invalid/obsolete admin certificate in /root/.dogtag/localhost/ca_admin_cert.p12

The user is expected to provide the path to the correct admin cert (if available) or remove the file so pkispawn will create a new one.

This was addressed in the following PRs:

Fixed in master branch (PKI 11.6):

@edewata edewata closed this as completed Feb 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@edewata edewata

Labels
Bug Bug fixes downstream Same issue identified in downstream automation and needs triage regression Regression bug. Introduced due to changes in unrelated code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@edewata @PsOverflow