Feature #23618
closed
Satellite 6.2: katello-certs-check should check Key Usage
Description
Description of problem:
I obtained a new server certificate for my Satellite server, but then found that yum couldn't fetch repository updates (errno 14, curl#60, NSS -8102, SEC_ERROR_INADEQUATE_KEY_USAGE). The certificate had X509v3 Key Usages of Digital Signature and Non Repudiation. When I got a new certificate which also included the Key Encipherment key usage, yum worked. (Red Hat Support case 02099325.)
So the problem is that katello-certs-check said my server cert was OK when it didn't have the Key Encipherment bit in the X509v3 Key Usage extension. (cf. https://tools.ietf.org/html/rfc5280#section-4.2.1.3)
Version/Release:
Satellite 6.2.9; foreman-installer-katello-3.0.0.80-2.el7sat.noarch; verified that this functionality is still missing in HEAD (at this writing, https://github.com/Katello/katello-installer/commit/a5d2df888dfc1d6f96986e62638cf14f4e78787f).
Reproducible always. To reproduce:
1. Procure a cert with Key Usage bits Digital Signature and Non Repudiation set, but not Key Encipherment. In my AD environment, the value of these bits is controlled by the Certificate Profile used when signing the CSR, not by anything in the CSR itself.
2. Run katello-certs-check on the deficient cert.
3. Install the cert.
4. Reinstall the katello-ca-consumer* package on a client of the Katello server.
5. Try to use yum on the client.
Actual results:
katello-certs-check on the deficient cert passes; yum fails.
Expected results:
katello-certs-check fails; the admin is compelled to get a cert with Key Encipherment as a listed Key Usage; yum succeeds.
Updated by jared jennings almost 6 years ago
- Pull request https://github.com/Katello/katello-installer/pull/632 added
Updated by Jonathon Turel over 5 years ago
- Status changed from New to Closed
- Triaged set to Yes
Updated by