Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Minor
Fix Version/s: certsys-11.0.el10_2
Affects Version/s: None
Component/s: jss
Labels:
- MigratedToJIRA
- Triaged

Severity:
None

AssignedTeam:
rhel-idm-cs

Target Milestone:

rc
Story Points:
None
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Bugzilla Bug:
RHBZ: 2099672

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None
Internal Target Milestone numeric:
42

Description of problem:
Able to generate certificates of more than 128-bits with random serial numbers

Version-Release number of selected component (if applicable):
idm-pki-ca-11.2.0-0.4.beta3.el9.noarch

How reproducible:
Always

Steps to Reproduce:
1. Set below in ca pkispawn file
pki_cert_id_generator=random
pki_cert_id_length=1024

2. Install CA

Actual results:
Able to generate certificates of more than 128-bits with random serial numbers

[root@pki1 ~]# pki -p 20443 ca-cert-find
WARNING: UNTRUSTED ISSUER encountered on 'CN=pki1.example.com,OU=topology-02-CA,O=topology-02_Foobarmaster.org' indicates a non-trusted CA cert 'CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org'
Trust this certificate (y/N)? y
---------------
6 entries found
---------------
Serial Number: 0x4957b80614cbdf6195b405cf01e1d01b7fc3713b5c5eb78e19a79bcc972dcd8809f3401f53aba4b4e2b235ec8a715e3b4936a8c1cf7bc0796f4eb75a2ed670b1eceac299c25bb07ac9f7c200f4c07eb17fe4fc010201d817468a3eaa1ad40066cd85c537732332a9bbd4843e81ec1e4891926da675046c1474c85b4fb4882cf83
Subject DN: CN=Subsystem Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
Status: VALID
Type: X.509 version 3
Key Algorithm: PKCS #1 RSA with 2048-bit key
Not Valid Before: Sat Jun 15 08:31:08 EDT 2024
Not Valid After: Fri Jun 05 08:31:08 EDT 2026
Issued On: Sat Jun 15 08:31:09 EDT 2024
Issued By: system

Serial Number: 0x4c3de2d97227d8c8672d1f68eb3b4b88f2d5293080cbe5ea8a8835dd77d0350080a0142aabf07113f0ee5ba4c4ae3e6c59b64ef703c9fb4027d7052ecfa290c4ea90eb168f33d716be51430a102a551f7a6dddda48c9034eb0a5e4f0d224a14271796879c7dadd8a6af44f3fcc723e6f35769545832e0a83f89cd2d06574ceb6b
Subject DN: CN=PKI Administrator,E=caadmin@example.com,OU=topology-02-CA,O=topology-02_Foobarmaster.org
Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
Status: VALID
Type: X.509 version 3
Key Algorithm: PKCS #1 RSA with 2048-bit key
Not Valid Before: Sat Jun 15 08:31:25 EDT 2024
Not Valid After: Fri Jun 05 08:31:25 EDT 2026
Issued On: Sat Jun 15 08:31:26 EDT 2024
Issued By: system

Serial Number: 0x32bb29410f14660c0a2e1b4afe45519ec9ce463ee01c23be71a8b8e6e2d4ca13867d01a538c279f872500e2d212c80b02fd0441b2a28199d8ae729635792875c6d569e136f5530c5aaf51e4d418013fd8c0bc43374650883c99efb80fe15014325e24d03a02908b61cbd69b1427dd3ef1904213a4fced54f2804481a92ec80fc9f
Subject DN: CN=pki1.example.com,OU=topology-02-CA,O=topology-02_Foobarmaster.org
Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
Status: VALID
Type: X.509 version 3
Key Algorithm: PKCS #1 RSA with 2048-bit key
Not Valid Before: Sat Jun 15 08:31:01 EDT 2024
Not Valid After: Fri Jun 05 08:31:01 EDT 2026
Issued On: Sat Jun 15 08:31:02 EDT 2024
Issued By: system

Serial Number: 0x32ddbbb6117e60b9b03c662fd109e7cb7355d033cf2e834193b1cf6b75792264520530268c9af112d77492ca432a5d78c3cc621de82a89f7136d8695e6fefbdbaf7007dcde4940774b84cd7b1bbf86b194fa9488a7ee9febaf0d7208ee6295291c45107315357ad0ea08b58dc69e1110a7852b089330e21c1748f3fde85ba9de58
Subject DN: CN=CA Audit Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
Status: VALID
Type: X.509 version 3
Key Algorithm: PKCS #1 RSA with 2048-bit key
Not Valid Before: Sat Jun 15 08:31:15 EDT 2024
Not Valid After: Fri Jun 05 08:31:15 EDT 2026
Issued On: Sat Jun 15 08:31:16 EDT 2024
Issued By: system

Serial Number: 0x32deab2c356e2c4065f4291fa0be350f176fc479ba1b0dc63db89aa34302be61b05099469d6d3c00f6b2fa3a7179a2c64dcd1c01d4bfd432fd3f6518fa8b9aeba4937995b27a52001d7833add5b890c985788df45a7a93225f7c3ef0ea1b08cf001796a270fab2ca25e2b6cc42b0c5e7b1ead798106efd299ad7353caf9686d3c4
Subject DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
Status: VALID
Type: X.509 version 3
Key Algorithm: PKCS #1 RSA with 2048-bit key
Not Valid Before: Sat Jun 15 08:30:48 EDT 2024
Not Valid After: Wed Jun 15 08:30:48 EDT 2044
Issued On: Sat Jun 15 08:30:49 EDT 2024
Issued By: system

Serial Number: 0x32e5fccc0bb10b16d4bdb3eaaa7f562c76b8fb719a940d2919e95d1212e023ed9cf0afcd3096871c3d5291bb12eb58adfb958d4954b880f0ef30d054917660a423ac53bfd208b5a21ed156700695e953bcea791a60f765faf34ad48ae3f0ce5a0c1e2be34557f651bd1e416e47c0b5ffbad282a86c3eca21e26ef87c01dce912fa
Subject DN: CN=CA OCSP Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
Issuer DN: CN=CA Signing Certificate,OU=topology-02-CA,O=topology-02_Foobarmaster.org
Status: VALID
Type: X.509 version 3
Key Algorithm: PKCS #1 RSA with 2048-bit key
Not Valid Before: Sat Jun 15 08:30:55 EDT 2024
Not Valid After: Fri Jun 05 08:30:55 EDT 2026
Issued On: Sat Jun 15 08:30:56 EDT 2024
Issued By: system
----------------------------
Number of entries returned 6
----------------------------

Expected results:
Certificates with 128 bits must be allowed.

external trackers

Red Hat Issue Tracker RHCS-3224

Assignee:: RH Bugzilla Integration

Reporter:: Chandan Pinjani (Inactive)

QA Contact:: RH Bugzilla Integration

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/06/24 3:28 AM

Updated:: 2025/11/04 2:47 AM

Resolved:: 2025/07/11 2:10 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates