dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
378 stars 138 forks source link

Dogtag Duplicates Audit and CA certificates in NSS DB when using HSM #3222

Open pki-bot opened 4 years ago

pki-bot commented 4 years ago

This issue was migrated from Pagure Issue #3105. Originally filed by magnuskkarlsson on 2019-08-22 09:07:13:


Installed Dogtag 10.7.0-1.fc30 with SoftHSM and disabled p11-kit. And with bug fix https://pagure.io/dogtagpki/issue/3093 https://github.com/dogtagpki/pki/pull/203/commits/7ce31807907416f681af9cbd0f1007bb3f1b41e8

And with the following configuration file

$ vi /root/dogtag-ca-softhsm.cfg

[DEFAULT] pki_server_database_password=redhat123

pki_hsm_enable=True pki_hsm_libfile=/usr/lib64/pkcs11/libsofthsm2.so pki_hsm_modulename=softhsm pki_token_name=Dogtag pki_token_password=redhat123

[CA] pki_admin_email=caadmin@example.com pki_admin_name=caadmin pki_admin_nickname=caadmin pki_admin_password=redhat123 pki_admin_uid=caadmin

pki_client_database_password=redhat123 pki_client_database_purge=False pki_client_pkcs12_password=redhat123

pki_ds_hostname=dogtag-10.7.0-hsm.magnuskkarlsson.local pki_ds_ldap_port=389 pki_ds_bind_dn=cn=Directory Manager pki_ds_password=redhat123 pki_ds_base_dn=o=pki-tomcat-CA

pki_security_domain_name=EXAMPLE

pki_ca_signing_token=Dogtag pki_ca_signing_nickname=ca_signing pki_ocsp_signing_token=Dogtag pki_ocsp_signing_nickname=ca_ocsp_signing pki_audit_signing_token=Dogtag pki_audit_signing_nickname=ca_audit_signing pki_ssl_server_token=internal pki_sslserver_token=internal pki_sslserver_nickname=sslserver pki_subsystem_token=Dogtag pki_subsystem_nickname=subsystem

$ pkispawn -f /root/dogtag-ca-softhsm.cfg -s CA

But the Audit and CA certificate is duplicated, both in Internal and HSM Token NSS DB. The private key for the above is not duplicated.

$ certutil -L -d /var/lib/pki/pki-tomcat/alias -h all -f password.txt

Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI

sslserver u,u,u ca_audit_signing u,u,Pu ca_signing CTu,Cu,Cu Dogtag:ca_signing CTu,Cu,Cu Dogtag:ca_audit_signing u,u,Pu Dogtag:ca_ocsp_signing u,u,u Dogtag:subsystem u,u,u

This will be a problem when adding certmonger monitoring in FreeIPA, because certmonger will not update both certificates.

For details see attached installation file. InstallingDogtagWithSoftHSM-FINAL.txt

pki-bot commented 4 years ago

Comment from magnuskkarlsson at 2019-08-23 03:15:47

A quick workaround would of course be to delete the Audit and CA certificate in the internal NSS DB, but does anyone knew the reason for why they are duplicated and is those 2 internal used in anyway?

$ certutil -D -d /etc/pki/pki-tomcat/alias -n 'ca_audit_signing' $ certutil -D -d /etc/pki/pki-tomcat/alias -n 'ca_signing'

$ egrep "ca.cert.signing|ca.signing" /etc/pki/pki-tomcat/ca/CS.cfg ca.cert.signing.certusage=SSLCA ca.cert.signing.nickname=Dogtag:caSigningCert cert-pki-ca ca.signing.cacertnickname=caSigningCert cert-pki-ca ca.signing.cert=MIIEqTCCA... ca.signing.certnickname=caSigningCert cert-pki-ca ca.signing.certreq=MIIDtzCCA... ca.signing.defaultSigningAlgorithm=SHA256withRSA ca.signing.newNickname=Dogtag:caSigningCert cert-pki-ca ca.signing.nickname=caSigningCert cert-pki-ca ca.signing.tokenname=Dogtag

CS.cfg

pki-bot commented 4 years ago

Comment from cheimes (@tiran) at 2019-08-29 10:29:25

Metadata Update from @tiran:

rcritten commented 2 years ago

I believe this is expected. Certificate "trust" is an NSS context that has no equivalent in PKCS#11 so the nickname and trust will appear in the NSS database because that is where it is stored. I don't think this is a bug but it is certainly not obvious and confusing. I'm not sure what, if anything, can be done about it.