We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
This issue was migrated from Pagure Issue #1054. Originally filed by mrniranjan (@mrniranjan) on 2014-06-25 11:17:13:
When revoking the certificate using caadmin cert, Agent doesn't correctly display that the cert is revoked by caadmin
We have a automation script which revoked the cert using caadmin certificate. caadmin user cert is imported to /opt/rhqa_pki/certs_db directory
certutil -L -d /opt/rhqa_pki/certs_db/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-tomcat CA CT,C,C CA_adminV u,u,u CA_adminE u,u,u CA_agentR u,u,u CA_auditV u,u,u PKI Administrator for lab.eng.pnq.redhat.com u,u,u CA_adminR u,u,u CA_agentV u,u,u CA_agentE u,u,u CA_operatorV u,u,u
[root@dhcp207-176 dogtag]# certutil -L -d /opt/rhqa_pki/certs_db/ -n "PKI Administrator for lab.eng.pnq.redhat.com" | less Certificate: Data: Version: 3 (0x2) Serial Number: 6 (0x6) Signature Algorithm: PKCS 1 SHA-256 With RSA Encryption Issuer: "CN=CA Signing Certificate,O=lab.eng.pnq.redhat.com Security Domain" Validity: Not Before: Thu Jun 19 11:29:11 2014 Not After : Wed Jun 08 11:29:11 2016 Subject: "CN=PKI Administrator,E=caadmin@lab.eng.pnq.redhat.com,O=lab .eng.pnq.redhat.com Security Domain"
Using the caadmin certificate , the automation script revokes the certificate approved by Agent.
As you can seem from the below script output, the script issues command:
pki -d /opt/rhqa_pki/certs_db -c redhat123 -n "PKI Administrator for lab.eng.pnq.redhat.com" cert-revoke 0x23f --force --reason unspecified
:: [ PASS ] :: Running 'pki -d /opt/rhqa_pki/certs_db -c redhat123 -n "PKI Administrator for lab.eng.pnq.redhat.com" cert-revoke 0x23f --force --reason unspecified 1> /tmp/tmp.l1dXRkA7t8/exp_out' (Expected 0, got 0) :: [ PASS ] :: File '/tmp/tmp.l1dXRkA7t8/exp_out' should contain 'Revoked certificate "0x23f"' :: [ PASS ] :: File '/tmp/tmp.l1dXRkA7t8/exp_out' should contain 'Serial Number: 0x23f' :: [ PASS ] :: File '/tmp/tmp.l1dXRkA7t8/exp_out' should contain 'Issuer: CN=CA Signing Certificate,O=lab.eng.pnq.redhat.com Security Domain' :: [ PASS ] :: File '/tmp/tmp.l1dXRkA7t8/exp_out' should contain 'Status: REVOKED' :: [ 05:06:50 ] :: pki cert-find --revokedBy caadmin --minSerialNumber 0x23f ''':: [ PASS ] :: Running 'pki cert-find --revokedBy caadmin --minSerialNumber 0x23f > /tmp/tmp.l1dXRkA7t8/cert_find_info' (Expected 0, got 0)''' :: [ FAIL ] :: File '/tmp/tmp.l1dXRkA7t8/cert_find_info' should contain 'Serial Number: 0x23f' :: [ FAIL ] :: File '/tmp/tmp.l1dXRkA7t8/cert_find_info' should contain 'Subject: UID=pkiuser50848,E=pkiuser50848@example.org,CN=pkiuser50848,OU=Engineering,O=Example.Inc,C=US' :: [ FAIL ] :: File '/tmp/tmp.l1dXRkA7t8/cert_find_info' should contain 'Number of entries' :: [ FAIL ] :: File '/tmp/tmp.l1dXRkA7t8/cert_find_info' should not contain '0 entries found'
From the Agent Page when i view the cert(i.e when i view the certificate details), it displays that the cert was revoked by CA_agentV and not caadmin
Audit log also reports that it was CA_agent who revoked the cert.
0.http-bio-8443-exec-25 - [25/Jun/2014:05:06:42 EDT] [14] [6] [AuditEvent=AUTHZ_SUCCESS][SubjectID=CA_agentV][Outcome=Success][aclResource=certServer.ca.request.profile][Op=approve] authorization success 0.http-bio-8443-exec-25 - [25/Jun/2014:05:06:42 EDT] [14] [6] [AuditEvent=ROLE_ASSUME][SubjectID=CA_agentV][Outcome=Success][Role=Certificate Manager Agents] assume privileged role 0.http-bio-8443-exec-25 - [25/Jun/2014:05:06:43 EDT] [14] [6] [AuditEvent=CERT_REQUEST_PROCESSED][SubjectID=CA_agentV][Outcome=Success][ReqID=761][InfoName=certificate][InfoValue=MIIEMzCCAxugAwIBAgICAj8wDQYJKoZIhvcNAQELBQAwUjEvMC0GA1UECgwmbGFiLmVuZy5wbnEucmVkaGF0LmNvbSBTZWN1cml0eSBEb21haW4xHzAdBgNVBAMMFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMTQwNjI1MDkwNjQwWhcNMTQxMjIyMDkwNjQwWjCBlzELMAkGA1UEBhMCVVMxFDASBgNVBAoMC0V4YW1wbGUuSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEVMBMGA1UEAwwMcGtpdXNlcjUwODQ4MScwJQYJKoZIhvcNAQkBFhhwa2l1c2VyNTA4NDhAZXhhbXBsZS5vcmcxHDAaBgoJkiaJk/IsZAEBDAxwa2l1c2VyNTA4NDgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD97aAH+IuhFPSDBaKUuVdkQ6yUWeePyG5rMeRlIhRmA9XjG1cztbzw5Ry13C/E7cmM1kdUXytP+3Uuj8eHbYenIxZbEsOnQ0tj+PbqxS+g/wCBDdt2FCNVyzwx0mrNh3iLlMSJfVgZIm/b1nX3PpSWVKFksLwQ+8/qnEP5umY7jgtouTjoRdT3Uwu882dqjvGMvARt2jU+KIc+HyNaRGg/0XCj9WNREWJIisICPU/gGLIX8ktYaNtRtSNAIvO4cS4rigSRCv56CFSaIU3rn4EQpHuc1juEh7VzLRWOi7vTh2b8rnci7QqZ6e+cUKhJ4OZBzD3I5xGe8CKnSdgg0+JxAgMBAAGjgcwwgckwHwYDVR0jBBgwFoAUYlkcOUeKcqbOzR5hvSwi5eVCE14wUgYIKwYBBQUHAQEERjBEMEIGCCsGAQUFBzABhjZodHRwOi8vZGhjcDIwNy0xNzYubGFiLmVuZy5wbnEucmVkaGF0LmNvbTo4MDgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAjBgNVHREEHDAagRhwa2l1c2VyNTA4NDhAZXhhbXBsZS5vcmcwDQYJKoZIhvcNAQELBQADggEBAD4q4VPv8gQ/KPQwbnPEE8LZf81lJ6SE312Ou0EEZaOlNrf31UI+w2AE2im7nDJby65s8+BSDEniibKp1OhWIwOWQr80uIbUTDSuX+qjW2gxDt1y3PcUU0DZVwVX6D/vH99Qmqeajs7JX2XUICPrZsoBkDIZ9T9BmSLBMmZjg0KCs9dVBjeDTvoVLPj69RNdCVF4STitaZLrCW+vu/gANPnHt5+nc6/k+dErWWFqQ4QAOWnFPF0Qd1L402FSc+POok6ENyC/2XD1YlkSXW8pd3Rai2z3LRBIhyINjohZmWipGzEmobGlTGPym7haZ4ELLdPIuhsShRs5DLGnG32MNgY=] certificate request processed 0.http-bio-8443-exec-9 - [25/Jun/2014:05:06:49 EDT] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST][SubjectID=CA_agentV][Outcome=Success][ReqID=762][CertSerialNum=0x23f][RequestType=revoke] certificate revocation/unrevocation request made 0.http-bio-8443-exec-9 - [25/Jun/2014:05:06:49 EDT] [14] [6] [AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=CA_agentV][Outcome=Success][ReqID=762][CertSerialNum=0x23f][RequestType=revoke][RevokeReasonNum=0][Approval=complete] certificate status change request processed
Expected Result: Since the cert is revoked by caadmin, it should report that caadmin revoked the user and not CA_agentV
The text was updated successfully, but these errors were encountered:
Comment from mrniranjan (@mrniranjan) at 2014-06-25 11:25:56
Also the above is not reproducible every time, It seems to display correctly at times, and at times it doesn't display the right user
Sorry, something went wrong.
Comment from mharmsen (@mharmsen) at 2014-06-30 20:50:11
Per CS/DS meeting of 06/30/2014, proposed Milestone: Dogtag 10.2.1
NOTE: Seems important from an auditing correctness perspective.
Comment from mharmsen (@mharmsen) at 2014-09-24 20:20:32
Per Dogtag 10.2.3 Triage meeting of 09/24/2014 - proposed Milestone: 10.2.2
Comment from mharmsen (@mharmsen) at 2015-02-24 23:43:38
Per 10.2.2 Triage meeting of 02/24/2015: 10.2.3
Comment from edewata (@edewata) at 2015-05-05 21:21:04
Fixed in master:
Comment from mrniranjan (@mrniranjan) at 2017-02-27 14:12:24
Metadata Update from @mrniranjan:
No branches or pull requests
This issue was migrated from Pagure Issue #1054. Originally filed by mrniranjan (@mrniranjan) on 2014-06-25 11:17:13:
When revoking the certificate using caadmin cert, Agent doesn't correctly display that the cert is revoked by caadmin
We have a automation script which revoked the cert using caadmin certificate. caadmin user cert is imported to /opt/rhqa_pki/certs_db directory
Using the caadmin certificate , the automation script revokes the certificate approved by Agent.
As you can seem from the below script output, the script issues command:
pki -d /opt/rhqa_pki/certs_db -c redhat123 -n "PKI Administrator for lab.eng.pnq.redhat.com" cert-revoke 0x23f --force --reason unspecified
From the Agent Page when i view the cert(i.e when i view the certificate details), it displays that the cert was revoked by CA_agentV and not caadmin
Audit log also reports that it was CA_agent who revoked the cert.
Expected Result: Since the cert is revoked by caadmin, it should report that caadmin revoked the user and not CA_agentV
The text was updated successfully, but these errors were encountered: