Open pki-bot opened 4 years ago
Comment from mharmsen (@mharmsen) at 2016-05-24 22:56:04
PKI TRAC Ticket 1645 - onsider better default values for certificate nicknames was marked as a duplicate of this ticket:
[DEFAULT]
pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s
pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s
...
[CA]
pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA
[KRA]
pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA
pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA
[OCSP]
pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP
[TKS]
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS
[TPS]
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TPS
Comment from nkinder (@nkinder) at 2016-06-02 21:25:31
FreeIPA is currently dependent on the certificate nickname format that we use. We should not change this until FreeIPA has made changes so we don't break them if we change our defaults. This could be as easy as having IPA explicitly set the old nickname format in the deployment file it uses instead of using our defaults. A ticket should be filed for this in the FreeIPA trac instance.
Comment from mharmsen (@mharmsen) at 2016-06-03 01:47:24
Changes are currently under test.
The following shows the results of placing a CA, KRA, OCSP, TKS, and TPS inside a shared PKI instance:
NEW NICKNAMES of a CA, KRA, OCSP, TKS, TPS SHARED INSTANCE:
# certutil -d . -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA Signing Certificate for pki-tomcat CA CTu,Cu,Cu
Server Certificate for pki-tomcat u,u,u
Audit Signing Certificate for pki-tomcat CA u,u,Pu
Storage Certificate for pki-tomcat KRA u,u,u
OCSP Signing Certificate for pki-tomcat OCSP CTu,Cu,Cu
Audit Signing Certificate for pki-tomcat TKS u,u,Pu
OCSP Signing Certificate for pki-tomcat CA u,u,u
Subsystem Certificate for pki-tomcat u,u,u
Transport Certificate for pki-tomcat KRA u,u,u
Audit Signing Certificate for pki-tomcat KRA u,u,Pu
Audit Signing Certificate for pki-tomcat OCSP u,u,Pu
Audit Signing Certificate for pki-tomcat TPS u,u,Pu
Alternatively, the following shows the results of placing a CA, KRA, OCSP, TKS, and TPS inside a separated PKI instances:
NEW NICKNAMES of a CA SEPARATED INSTANCE:
# certutil -d . -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA Signing Certificate for pki-ca CA CTu,Cu,Cu
Server Certificate for pki-ca u,u,u
Audit Signing Certificate for pki-ca CA u,u,Pu
OCSP Signing Certificate for pki-ca CA u,u,u
Subsystem Certificate for pki-ca u,u,u
NEW NICKNAMES of a KRA SEPARATED INSTANCE:
# certutil -d . -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA Signing Certificate - example.com Security Domain CT,c,
Storage Certificate for pki-kra KRA u,u,u
Subsystem Certificate for pki-kra u,u,u
Transport Certificate for pki-kra KRA u,u,u
Server Certificate for pki-kra u,u,u
Audit Signing Certificate for pki-kra KRA u,u,Pu
NEW NICKNAMES of an OCSP SEPARATED INSTANCE:
# certutil -d . -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA Signing Certificate - example.com Security Domain CT,c,
Server Certificate for pki-ocsp u,u,u
Audit Signing Certificate for pki-ocsp OCSP u,u,Pu
OCSP Signing Certificate for pki-ocsp OCSP CTu,Cu,Cu
Subsystem Certificate for pki-ocsp u,u,u
NOTE: Was not automatically connected to separated CA!
Filed PKI TRAC Ticket 2348 - Separated OCSP instance does not
automatically bind to its remote CA
NEW NICKNAMES of a TKS SEPARATED INSTANCE:
# certutil -d . -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA Signing Certificate - example.com Security Domain CT,c,
Server Certificate for pki-tks u,u,u
Audit Signing Certificate for pki-tks TKS u,u,Pu
Subsystem Certificate for pki-tks u,u,u
NEW NICKNAMES of a TPS SEPARATED INSTANCE:
# certutil -d . -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CA Signing Certificate - example.com Security Domain CT,c,
Server Certificate for pki-tps u,u,u
Audit Signing Certificate for pki-tps TPS u,u,Pu
Subsystem Certificate for pki-tps u,u,u
NOTE: The shared secret from the separated TKS was not automatically
imported into the separated TPS security databases!
Filed PKI TRAC Ticket 2349 - Separated TPS does not automatically
import shared secret from remote TKS
For reference, the following pkispawn override configuration files were utilized to produce the separated PKI instances:
PKISPAWN CONFIGURATION OVERRIDE file for a CA:
[DEFAULT]
pki_admin_password=Secret123
pki_client_pkcs12_password=Secret123
pki_ds_password=Secret123
# Optionally keep client databases
pki_client_database_purge=False
# Separated CA instance name and ports
pki_instance_name=pki-ca
pki_http_port=18080
pki_https_port=18443
# Separated CA instance will be its own security domain
pki_security_domain_https_port=18443
[Tomcat]
# Separated CA Tomcat ports
pki_ajp_port=18009
pki_tomcat_server_port=18005
PKISPAWN CONFIGURATION OVERRIDE file for a KRA:
[DEFAULT]
pki_admin_password=Secret123
pki_client_database_password=Secret123
pki_client_pkcs12_password=Secret123
pki_ds_password=Secret123
pki_security_domain_password=Secret123
# Optionally keep client databases
pki_client_database_purge=False
# Separated KRA instance name and ports
pki_instance_name=pki-kra
pki_http_port=28080
pki_https_port=28443
# Separated KRA instance security domain references
pki_issuing_ca=https://pki.example.com:18443
pki_security_domain_hostname=pki.example.com
pki_security_domain_https_port=18443
pki_security_domain_user=caadmin
[Tomcat]
# Separated KRA Tomcat ports
pki_ajp_port=28009
pki_tomcat_server_port=28005
[KRA]
# Separated KRA instance requires its own PKI Administrator Certificate
pki_import_admin_cert=False
PKISPAWN CONFIGURATION OVERRIDE file for an OCSP:
[DEFAULT]
pki_admin_password=Secret123
pki_client_database_password=Secret123
pki_client_pkcs12_password=Secret123
pki_ds_password=Secret123
pki_security_domain_password=Secret123
# Optionally keep client databases
pki_client_database_purge=False
# Separated OCSP instance name and ports
pki_instance_name=pki-ocsp
pki_http_port=29080
pki_https_port=29443
# Separated OCSP instance security domain references
pki_issuing_ca=https://pki.example.com:18443
pki_security_domain_hostname=pki.example.com
pki_security_domain_https_port=18443
pki_security_domain_user=caadmin
[Tomcat]
# Separated OCSP Tomcat ports
pki_ajp_port=29009
pki_tomcat_server_port=29005
[OCSP]
# Separated OCSP instance requires its own PKI Administrator Certificate
pki_import_admin_cert=False
PKISPAWN CONFIGURATION OVERRIDE file for a TKS:
[DEFAULT]
pki_admin_password=Secret123
pki_client_database_password=Secret123
pki_client_pkcs12_password=Secret123
pki_ds_password=Secret123
pki_security_domain_password=Secret123
# Optionally keep client databases
pki_client_database_purge=False
# Separated TKS instance name and ports
pki_instance_name=pki-tks
pki_http_port=30080
pki_https_port=30443
# Separated TKS instance security domain references
pki_issuing_ca=https://pki.example.com:18443
pki_security_domain_hostname=pki.example.com
pki_security_domain_https_port=18443
pki_security_domain_user=caadmin
[Tomcat]
# Separated TKS Tomcat ports
pki_ajp_port=30009
pki_tomcat_server_port=30005
[TKS]
# Separated TKS instance requires its own PKI Administrator Certificate
pki_import_admin_cert=False
PKISPAWN CONFIGURATION OVERRIDE file for a TPS:
[DEFAULT]
pki_admin_password=Secret123
pki_client_database_password=Secret123
pki_client_pkcs12_password=Secret123
pki_ds_password=Secret123
pki_security_domain_password=Secret123
# Optionally keep client databases
pki_client_database_purge=False
# Separated TPS instance name and ports
pki_instance_name=pki-tps
pki_http_port=31080
pki_https_port=31443
# Separated TPS instance security domain references
pki_issuing_ca=https://pki.example.com:18443
pki_security_domain_hostname=pki.example.com
pki_security_domain_https_port=18443
pki_security_domain_user=caadmin
[Tomcat]
# Separated TPS Tomcat ports
pki_ajp_port=31009
pki_tomcat_server_port=31005
[TPS]
# Separated TPS instance requires specifying a remote CA
pki_ca_uri=https://pki.example.com:18443
# Separated TPS instance optionally utilizes a remote KRA for server-side keygen
pki_kra_uri=https://pki.example.com:28443
pki_enable_server_side_keygen=True
pki_authdb_basedn=dc=example,dc=com
# Separated TPS instance requires specifying a remote TKS
pki_tks_uri=https://pki.example.com:30443
pki_import_shared_secret=True
# Separated TPS instance requires its own PKI Administrator Certificate
pki_import_admin_cert=False
Comment from vakwetu (@vakwetu) at 2016-06-03 16:10:36
As a reference, this change should not affect IPA because IPA does in fact override the defaults in its pkispawn config file.
To wit, in cainstance.py:
config.set("CA", "pki_subsystem_nickname", "subsystemCert cert-pki-ca")
config.set("CA", "pki_ocsp_signing_nickname", "ocspSigningCert cert-pki-ca")
config.set("CA", "pki_ssl_server_nickname", "Server-Cert cert-pki-ca")
config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca")
config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")
And in krainsatnce.py:
# Certificate nicknames
# Note that both the server certs and subsystem certs reuse
# the ca certs.
config.set("KRA", "pki_subsystem_nickname",
"subsystemCert cert-pki-ca")
config.set("KRA", "pki_ssl_server_nickname",
"Server-Cert cert-pki-ca")
config.set("KRA", "pki_audit_signing_nickname",
"auditSigningCert cert-pki-kra")
config.set("KRA", "pki_transport_nickname",
"transportCert cert-pki-kra")
config.set("KRA", "pki_storage_nickname",
"storageCert cert-pki-kra")
Comment from vakwetu (@vakwetu) at 2016-06-03 16:14:00
Similarly (for nicknames):
# Certificate nicknames
# Note that both the server certs and subsystem certs reuse
# the ca certs.
config.set("KRA", "pki_subsystem_nickname",
"subsystemCert cert-pki-ca")
config.set("KRA", "pki_ssl_server_nickname",
"Server-Cert cert-pki-ca")
config.set("KRA", "pki_audit_signing_nickname",
"auditSigningCert cert-pki-kra")
config.set("KRA", "pki_transport_nickname",
"transportCert cert-pki-kra")
config.set("KRA", "pki_storage_nickname",
"storageCert cert-pki-kra")
and:
# Certificate nicknames
config.set("CA", "pki_subsystem_nickname", "subsystemCert cert-pki-ca")
config.set("CA", "pki_ocsp_signing_nickname", "ocspSigningCert cert-pki-ca")
config.set("CA", "pki_ssl_server_nickname", "Server-Cert cert-pki-ca")
config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca")
config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")
Comment from mharmsen (@mharmsen) at 2016-06-03 18:56:56
Initial proposed patch containing revised nicknames 20160602-Fix-default-value-of-pki_cert_chain_nickname.patch
Comment from mharmsen (@mharmsen) at 2016-06-03 19:01:16
Although the attached patch worked successfully for shared and separated Dogtag instances, and a very simple IPA server test, concerns arose during discussion regarding untested issues such as:
As a consequence, it was determined to err on the side of caution, and defer this bug until 10.4.
Comment from edewata (@edewata) at 2017-02-27 13:59:31
Metadata Update from @edewata:
This issue was migrated from Pagure Issue #432. Originally filed by edewata (@edewata) on 2012-12-04 20:39:22:
The current default certificate nicknames are rather cryptic and contain redundant words. Since the nicknames are used to manage certificates and do client authentication via CLI, it's better to use more human-readable nicknames.
Currently the nicknames are defined as follows:
As an example, currently a CA signing certificate nickname will look like the following:
A better nickname would be:
For comparison, the certificate subject DN uses more user-friendly name:
Note that some applications (e.g. certmonger) might depend on the current nicknames. They need to be modified to be more flexible.