Project

General

Profile

Bug #6875

[RFE] Support for custom server certificates

Added by Ivan Necas over 6 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Installer
Target version:
Difficulty:
hard
Triaged:
Yes
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=873753
Description of problem:
System Engine generates its own CA Cert during install and uses it for the Web UI and signing other certs used for communication between pulp, candlepin, and AMQP.

Issues with this, outlined at https://fedorahosted.org/katello/wiki/CertsRedesign, along with a lot more detail are:

all server certs are signed by Candlepin CA
Candlepin CA serves as both server cert and CA cert
its key is not password protected
its key is accessible by three system users
certs are not trusted
no multihome support

Version-Release number of selected component (if applicable):
System Engine 1.1 Beta

Thus far https://bugzilla.redhat.com/show_bug.cgi?id=754728 to document the process for replacing the CA with a subordinate CA signed by our CA has not been completed, and I have been told that the process will not be supported until 2.0.

How reproducible:
Always

Steps to Reproduce:
1. Install System Engine

Actual results:
See that the CA Cert created during install is used as the server cert and the CA Cert for signing other certs. Look for documentation on replacing the CA Cert with a subordinate CA signed by your organizations CA and see that there is none.

Expected results:
We should be able to replace the cert for the Web UI with a standard SSL cert signed by our CA. We should also have the option of replacing the CA Cert created during install with a subordinate CA cert signed by our CA Cert.

Additional info:


Related issues

Has duplicate Katello - Feature #5296: As a user, I would like to have the server certificates used at install time be signed by a client CA.Duplicate2014-04-21

Associated revisions

Revision b9cdaea2 (diff)
Added by Ivan Necas over 6 years ago

Refs #6875 - Update the modules to the changes in puppet-certs module

Revision b9cdaea2 (diff)
Added by Ivan Necas over 6 years ago

Refs #6875 - Update the modules to the changes in puppet-certs module

Revision dff469d9 (diff)
Added by Ivan Necas over 6 years ago

Refs #6875 - separate the default CA and server CA

Up until now, we used the default CA for both server and client certificates.
This made practically impossible to issue the server certificates outside of
the installer and pass it in as arguments.

By default, the server CA is the same as default CA, unless the $server_ca_cert
is specified.

In the bootstrap rpm, we ship both server CA (for verifying the server) as well
the default CA (for verifying the qpid by the gofer).

Revision e72e7a99 (diff)
Added by Ivan Necas over 6 years ago

Refs #6875 - deploy the server cert for the pulp node to verify the parent

Revision 1f2c75a8 (diff)
Added by Ivan Necas over 6 years ago

Refs #6875 - set the path to the server cert according to cert params

Revision 1f2c75a8 (diff)
Added by Ivan Necas over 6 years ago

Refs #6875 - set the path to the server cert according to cert params

Revision da188398
Added by Ivan Necas over 6 years ago

Merge pull request #12 from iNecas/issue/6875

Refs #6875 - Update the modules to the changes in puppet-certs module

Revision da188398
Added by Ivan Necas over 6 years ago

Merge pull request #12 from iNecas/issue/6875

Refs #6875 - Update the modules to the changes in puppet-certs module

Revision f9da521d
Added by Ivan Necas over 6 years ago

Merge pull request #25 from iNecas/issue/6875

Refs #6875 - separate the default CA and server CA

Revision dd1f7dae (diff)
Added by Ivan Necas over 6 years ago

Fixes #6875 - Ability to pass own server certs for apache and smart-proxy

Also ability to renew the sever or all certs

Revision e25877fd (diff)
Added by Ivan Necas over 6 years ago

Refs #6875,#7115 - Update pulp,certs and capsule module

Revision 494ea150
Added by Ivan Necas over 6 years ago

Merge pull request #94 from iNecas/issue/6875

Fixes #6875 - Ability to pass own server certs for apache and smart-proxy

History

#1 Updated by Ivan Necas over 6 years ago

  • Status changed from New to Assigned

#2 Updated by Ivan Necas over 6 years ago

  • Category changed from Web UI to Installer

#3 Updated by Ivan Necas over 6 years ago

  • Target version set to 54

#4 Updated by Eric Helms over 6 years ago

  • Difficulty set to hard
  • Triaged changed from No to Yes

#5 Updated by The Foreman Bot over 6 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/Katello/katello-installer/pull/94 added
  • Pull request deleted ()

#6 Updated by Eric Helms over 6 years ago

  • Target version changed from 54 to 55

#7 Updated by Eric Helms over 6 years ago

  • Has duplicate Feature #5296: As a user, I would like to have the server certificates used at install time be signed by a client CA. added

#8 Updated by Ivan Necas over 6 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#9 Updated by Eric Helms over 6 years ago

  • Legacy Backlogs Release (now unused) set to 13

Also available in: Atom PDF