SilleBille / pki

Dogtag PKI Issues should be reported to the Dogtag PKI Pagure Issues site
https://pagure.io/dogtagpki/issues
GNU General Public License v2.0
1 stars 1 forks source link

Dogtag Duplicates Audit and CA certificates in NSS DB when using HSM #503

Closed SilleBille closed 4 years ago

SilleBille commented 5 years ago

This issue was migrated from Pagure Issue #3105.Originally filed by magnuskkarlsson on 2019-08-22

Installed Dogtag 10.7.0-1.fc30 with SoftHSM and disabled p11-kit. And with bug fix https://pagure.io/dogtagpki/issue/3093 https://github.com/dogtagpki/pki/pull/203/commits/7ce31807907416f681af9cbd0f1007bb3f1b41e8

And with the following configuration file

$ vi /root/dogtag-ca-softhsm.cfg

[DEFAULT] pki_server_database_password=redhat123

pki_hsm_enable=True pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so pki_hsm_modulename=softhsm pki_token_name=Dogtag pki_token_password=redhat123

[CA] pki_admin_email=caadminexample.com pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=redhat123 pki_admin_uid=caadmin

pki_client_database_password=redhat123 pki_client_database_purge=False pki_client_pkcs12_password=redhat123

pki_ds_hostname=dogtag-10.7.0-hsm.magnuskkarlsson.local pki_ds_ldap_port=389 pki_ds_bind_dn=cn=Directory Manager pki_ds_password=redhat123 pki_ds_base_dn=o=pki-tomcat-CA

pki_security_domain_name=EXAMPLE

pki_ca_signing_token=Dogtag pki_ca_signing_nickname=ca_signing pki_ocsp_signing_token=Dogtag pki_ocsp_signing_nickname=ca_ocsp_signing pki_audit_signing_token=Dogtag pki_audit_signing_nickname=ca_audit_signing pki_ssl_server_token=internal pki_sslserver_token=internal pki_sslserver_nickname=sslserver pki_subsystem_token=Dogtag pki_subsystem_nickname=subsystem

$ pkispawn -f /root/dogtag-ca-softhsm.cfg -s CA

But the Audit and CA certificate is duplicated, both in Internal and HSM Token NSS DB. The private key for the above is not duplicated.

$ certutil -L -d /var/lib/pki/pki-tomcat/alias -h all -f password.txt

Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI

sslserver u,u,u ca_audit_signing u,u,Pu ca_signing CTu,Cu,Cu Dogtag:ca_signing CTu,Cu,Cu Dogtag:ca_audit_signing u,u,Pu Dogtag:ca_ocsp_signing u,u,u Dogtag:subsystem u,u,u

This will be a problem when adding certmonger monitoring in FreeIPA, because certmonger will not update both certificates.

For details see attached installation file. InstallingDogtagWithSoftHSM-FINAL.txt

SilleBille commented 5 years ago

Posted by magnuskkarlsson on 2019-08-23:

A quick workaround would of course be to delete the Audit and CA certificate in the internal NSS DB, but does anyone knew the reason for why they are duplicated and is those 2 internal used in anyway?

$ certutil -D -d /etc/pki/pki-tomcat/alias -n 'ca_audit_signing' $ certutil -D -d /etc/pki/pki-tomcat/alias -n 'ca_signing'

$ egrep "ca.cert.signing|ca.signing" /etc/pki/pki-tomcat/ca/CS.cfg ca.cert.signing.certusage=SSLCA ca.cert.signing.nickname=Dogtag:caSigningCert cert-pki-ca ca.signing.cacertnickname=caSigningCert cert-pki-ca ca.signing.cert=MIIEqTCCA... ca.signing.certnickname=caSigningCert cert-pki-ca ca.signing.certreq=MIIDtzCCA... ca.signing.defaultSigningAlgorithm=SHA256withRSA ca.signing.newNickname=Dogtag:caSigningCert cert-pki-ca ca.signing.nickname=caSigningCert cert-pki-ca ca.signing.tokenname=Dogtag

CS.cfg