Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-73384

PKI operation with -n "client_cert" is failing with "UNKNOWN_CA" in FIPS mode

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • None
    • rhel-9.6
    • pki-core
    • None
    • Yes
    • None
    • rhel-idm-cs
    • ssg_idm
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      PKI operation with -n "client_cert" is failing with "UNKNOWN_CA" in FIPS mode

      What is the impact of this issue to you?

      PKI CLI operation with -n "" not working

      Please provide the package NVR for which the bug is seen:

      pki-core-11.6.0-0.3.alpha2.el9.src.rpm

      jss-5.6.0-0.1.alpha1.el9.src.rpm

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Setup latest RHEL 9.6 VM and Enable FIPS
      2. Install CA & KRA
      3. Perform PKI CLI authenticated operation:

       

      # certutil -L -d /tmp/test_hl_9bdc6_pki
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
CN=pki1.example.com,OU=topology-00-CA,O=topology-00_Foobarmaster.org P,,  
CA Signing Certificate - topology-00_Foobarmaster.org        CT,C,C
PKI CA Administrator for Example.Org                         u,u,u
PKI KRA Administrator for Example.Org                        u,u,u
DRM Transport Certificate - topology-00_Foobarmaster.org     c,c,c
Certificate request:
# pki -d /tmp/test_hl_9bdc6_pki -c SECret.123 -p 20443 client-cert-request "UID=myprisinghoaep"
  Request ID: 0x4e33d88ee5c90415efbe06ba3437aa09
  Type: enrollment
  Request Status: pending
  Operation Result: success
  Creation Time: Thu Jan 09 10:19:24 EST 2025
  Modification Time: Thu Jan 09 10:19:24 EST 2025
Request approval with -n "" parameter:
# pki -d /tmp/test_hl_9bdc6_pki -c SECret.123 -p 20443 -n 'PKI CA Administrator for Example.Org' ca-cert-request-approve 0x4e33d88ee5c90415efbe06ba3437aa09
SEVERE: FATAL: SSL alert received: UNKNOWN_CA
IOException: Unable to read from socket: Error reading from socket: (-12195) Peer does not recognize and trust the CA that issued your certificate.
CA debug log:
2025-01-09 10:30:11 [https-jsse-jss-nio-20443-exec-1] FINE: PKIServerSocketListener: SSL alert sent:
2025-01-09 10:30:11 [https-jsse-jss-nio-20443-exec-1] FINE: - reason: serverAlertSent: UNKNOWN_CA
2025-01-09 10:30:11 [https-jsse-jss-nio-20443-exec-1] FINE: - client: 10.0.148.204
2025-01-09 10:30:11 [https-jsse-jss-nio-20443-exec-1] FINE: - server: 10.0.148.204
2025-01-09 10:30:11 [https-jsse-jss-nio-20443-exec-1] FINE: - subject: CN=PKI Administrator,E=caadmin@example.com,OU=topology-00-CA,O=topology-00_Foobarmaster.org
2025-01-09 10:30:11 [https-jsse-jss-nio-20443-exec-1] FINE: - serial: 40138588886813701661322487293818287367
2025-01-09 10:30:11 [https-jsse-jss-nio-20443-exec-1] FINE: - issuer: CN=CA Signing Certificate,OU=topology-00-CA,O=topology-00_Foobarmaster.org
2025-01-09 10:30:11 [https-jsse-jss-nio-20443-exec-1] FINE: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH

      Expected results:

      It should work in both env i.e. FIPS & Non-FIPS

      Actual results:

      Certificate request approval is failing with UNKNOWN_CA for client-certificate based authentication in FIPS enabled VM, whereas it's working fine for username/password based authentication and in Non-FIPS enabled VM.

              rhcs-maint RHCS Maintenance
              prisingh@redhat.com Pritam Singh
              RHCS Maintenance RHCS Maintenance
              IdM CS QE IdM CS QE
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: