Created attachment 1624294 [details]
rootCA_debug_log
Description of problem:
Clone CA Server Cert not reflecting complete inserted SAN in its server cert which is clone of RootCA has 5 SAN in server certificate and only showing 4 SAN in clone ssl server certificate.
Version-Release number of selected component (if applicable):
pki-ca-10.5.16-5.el7_7.noarch
How reproducible:
Always
Steps to Reproduce:
Make SAN changes in /usr/share/pki/ca/conf/rsaServerCert.profile
1.1 Add 8 in list=2,4,5,6,7,8
1.2 Add below SAN params in 8th Section:
Make changes in /usr/share/pki/ca/profiles/ca/caInternalAuthServerCert.cfg
2.1 input.list=i1,i2,i3
2.2 policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9
2.3 Add below SAN params in 9th section:
7.Installation happend successfully with reflected SAN in its server cert.
[root@pki2 ~]# certutil -L -d /var/lib/pki/topology-02-CA-clone/alias/ -n "Server-Cert cert-topology-02-CA-clone"
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8 (0x8)
Signature Algorithm: PKCS 1 SHA-512 With RSA Encryption
Issuer: "CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Fo
obarmaster.org"
Validity:
Not Before: Wed Oct 09 13:01:40 2019
Not After : Tue Sep 28 13:01:40 2021
Subject: "CN=pki2.example.com,OU=topology-02-CA-clone,O=topology-02_F
oobarmaster.org"
Subject Public Key Info:
Public Key Algorithm: PKCS 1 RSA Encryption
RSA Public Key:
Modulus:
d8:3c:67:43:a3:d9:a3:d2:94:a2:97:a1:2e:b2:4f:b0:
70:75:57:99:38:15:64:51:1f:54:1e:df:c1:96:ec:f9:
01:37:92:e7:69:28:09:44:e3:d2:22:69:d1:cd:36:d5:
90:70:e0:04:e3:ed:d8:32:43:ed:68:23:14:ca:5a:74:
ae:3d:67:95:12:4c:45:e8:e1:7e:85:71:ef:23:5c:34:
d1:4e:ce:4e:02:b4:63:c4:21:f4:b2:c0:16:cb:df:c7:
4e:fb:92:a1:6a:5f:d7:fc:39:86:0e:ff:97:5a:c7:65:
ce:90:a4:d2:39:12:54:b9:a4:6e:dd:95:dc:a9:79:10:
44:27:04:25:8a:33:f7:63:1c:ba:b1:9a:7d:0a:0b:62:
bf:17:aa:61:62:46:f6:b3:6a:b1:22:52:c9:3e:c9:88:
d1:97:23:9e:26:5e:d6:f4:f8:be:f9:24:c6:e7:f4:63:
a7:d8:46:79:6a:1a:3e:88:94:b6:f8:10:2e:c5:76:ef:
a4:d8:a8:74:15:90:81:7a:83:69:a6:66:a1:f8:85:36:
1b:05:bf:5f:d2:3c:a5:72:b1:22:51:eb:0f:f6:f9:ea:
7c:f4:eb:e0:9e:94:f3:21:62:a0:ea:e3:fe:3a:c6:63:
58:df:c6:46:80:05:0f:7c:ed:81:2e:0b:ed:4b:49:51
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Authority Key Identifier
Key ID:
82:d7:27:7c:3d:bf:57:71:57:9a:e1:b7:4f:2b:d4:64:
28:aa:f2:79
Name: Authority Information Access
Method: PKIX Online Certificate Status Protocol
Location:
URI: "http://pki1.example.com:20080/ca/ocsp"
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Key Encipherment
Data Encipherment
Name: Extended Key Usage
TLS Web Server Authentication Certificate
TLS Web Client Authentication Certificate
Name: Certificate Subject Alt Name
DNS name: "pki1.example.com"
DNS name: "redacted_serverb"
DNS name: "redacted_serverb.domain"
DNS name: "redacted_servera"
Actual results:
Seen that RootCA server cert has 5 DNS name entry in its SAN and cloning with SAN extension is successful but clone CA's SSL server certificate is issued with 4 DNS name entry in its SAN extension.
Expected results:
It should result in replication of 5 DNS name entry in clone CA server cert as per the injected SAN.
Proof of concept:
Please find the RootCA debug log and profiles config attached.
This issue was migrated from Pagure Issue #3145. Originally filed by cipherboy (@cipherboy) on 2020-03-15 15:44:04:
Created attachment 1624294 [details] rootCA_debug_log
Description of problem: Clone CA Server Cert not reflecting complete inserted SAN in its server cert which is clone of RootCA has 5 SAN in server certificate and only showing 4 SAN in clone ssl server certificate.
Version-Release number of selected component (if applicable): pki-ca-10.5.16-5.el7_7.noarch
How reproducible: Always
Steps to Reproduce:
3.Install RootCA with SAN
5.Execute ca-clone-prepare and get p12 file then copy it to clone machine
6.Install clone with same SAN changes as in Master:
7.Installation happend successfully with reflected SAN in its server cert.
Actual results:
Seen that RootCA server cert has 5 DNS name entry in its SAN and cloning with SAN extension is successful but clone CA's SSL server certificate is issued with 4 DNS name entry in its SAN extension.
Expected results: It should result in replication of 5 DNS name entry in clone CA server cert as per the injected SAN.
Proof of concept: Please find the RootCA debug log and profiles config attached.
Additional info:
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1743122#c16