Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipa-healthcheck doesn't support certificates stored in tokens #276

Closed
rcritten opened this issue Jul 28, 2022 · 1 comment · Fixed by #277
Closed

ipa-healthcheck doesn't support certificates stored in tokens #276

rcritten opened this issue Jul 28, 2022 · 1 comment · Fixed by #277
Assignees
@rcritten

Comments

@rcritten
Copy link
Collaborator

For example the certificate may be visible in the softoken but it is stored in a PKCS#11 token so lacks the private key:

{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertNSSTrust",
"result": "ERROR",
"uuid": "1568211a-4276-4c49-a41c-b71853027609",
"when": "20220728182829Z",
"duration": "0.262080",
"kw": {
"key": "subsystemCert cert-pki-ca",
"expected": "u,u,u",
"got": ",,",
"nickname": "subsystemCert cert-pki-ca",
"dbdir": "/etc/pki/pki-tomcat/alias",
"msg": "Incorrect NSS trust for {nickname} in {dbdir}. Got {got} expected {expected}."
}
@rcritten
Copy link
Collaborator Author

Here it used the NSS Certificate DB token which doesn't have the private key hence the false positive.

@rcritten rcritten self-assigned this Sep 29, 2022
rcritten pushed a commit to rcritten/freeipa-healthcheck that referenced this issue Sep 29, 2022
@rcritten
Add limited support for CA certificates on a hardware token (HSM)
37cea5a 
dogtagpki supports storing its subsystem and CA certificates on
an HSM. Look up the token name and password in the NSS db
password file. If a token exists then include that in the lookup
and expect (require) the CA, audit, ocsp and subsystem
certificates to be there. If a KRA is also configured then those
certificates will be in the HSM as well.

PKI supports mixing and matching but for now this only supports
a simplistic one HSM or no HSM.

This requires an update to IPA where certificates can be
looked up by token. At this point HSM is not yet supported in
IPA but once it is then this will just work.

Fixes: freeipa#276

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
@rcritten rcritten mentioned this issue Sep 29, 2022
Merged
rcritten added a commit to rcritten/freeipa-healthcheck that referenced this issue Sep 30, 2022
@rcritten
Add limited support for CA certificates on a hardware token (HSM)
3b77a54 
dogtagpki supports storing its subsystem and CA certificates on
an HSM. Look up the token name and password in the NSS db
password file. If a token exists then include that in the lookup
and expect (require) the CA, audit, ocsp and subsystem
certificates to be there. If a KRA is also configured then those
certificates will be in the HSM as well.

PKI supports mixing and matching but for now this only supports
a simplistic one HSM or no HSM.

This requires an update to IPA where certificates can be
looked up by token. At this point HSM is not yet supported in
IPA but once it is then this will just work.

Fixes: freeipa#276

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten added a commit to rcritten/freeipa-healthcheck that referenced this issue Nov 18, 2022
@rcritten
Add limited support for CA certificates on a hardware token (HSM)
507517c 
dogtagpki supports storing its subsystem and CA certificates on
an HSM. Look up the token name and password in the NSS db
password file. If a token exists then include that in the lookup
and expect (require) the CA, audit, ocsp and subsystem
certificates to be there. If a KRA is also configured then those
certificates will be in the HSM as well.

PKI supports mixing and matching but for now this only supports
a simplistic one HSM or no HSM.

This supports the existing IPA CertDB and NSSDatabase APIs
as well as IPA 4.9.x.

Fixes: freeipa#276

Signed-off-by: Rob Crittenden <rcritten@redhat.com
rcritten added a commit to rcritten/freeipa-healthcheck that referenced this issue Nov 18, 2022
@rcritten
Add tests for token support
6b382f2 
This required changes to the mock CAInstance to support
the HSM properties in DogtagInstance.

Fixes: freeipa#276

Signed-off-by: Rob Crittenden <rcritten@redhat.com
rcritten added a commit that referenced this issue Dec 1, 2022
@rcritten
Add limited support for CA certificates on a hardware token (HSM)
38b3ddf 
dogtagpki supports storing its subsystem and CA certificates on
an HSM. Look up the token name and password in the NSS db
password file. If a token exists then include that in the lookup
and expect (require) the CA, audit, ocsp and subsystem
certificates to be there. If a KRA is also configured then those
certificates will be in the HSM as well.

PKI supports mixing and matching but for now this only supports
a simplistic one HSM or no HSM.

This supports the existing IPA CertDB and NSSDatabase APIs
as well as IPA 4.9.x.

Fixes: #276

Signed-off-by: Rob Crittenden <rcritten@redhat.com
rcritten added a commit that referenced this issue Dec 1, 2022
@rcritten
Add tests for token support
db7831c 
This required changes to the mock CAInstance to support
the HSM properties in DogtagInstance.

Fixes: #276

Signed-off-by: Rob Crittenden <rcritten@redhat.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rcritten rcritten

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add limited support for CA certificates on a hardware token (HSM) rcritten/freeipa-healthcheck
1 participant
@rcritten