Release Notes

SCP01 support in Certificate System is deprecated

Support for Secure Channel Protocol 01 (SCP01) is deprecated in Certificate System 10 and may be removed. Red Hat recommends using smart cards that support SCP03.

The pkiconsole tool is being deprecated

In Certificate System 10, the pkiconsole tool will be deprecated.

Certificate System now defaults to Random Serial Numbers

If you are migrating from Certificate System 10.6 to Certificate System 10.8, note that Certificate System 10.8 now defaults to Random Serial Numbers v3 (RSNv3).

Certificate System now supports Sequential Serial Numbers v2

Sequential Serial Numbers v2 (SSNv2) works the same as SSNv1 with serial numbers but requires a different configuration and solves the issues with contiguous range allocation for the certificate serial numbers.

Certificate System now supports Enrollment over Secure Transport protocol

Support for the Enrollment over Secure Transport (EST) protocol has been added to RHCS. EST is a cryptographic protocol designed to provide secure certificate enrollment for devices. EST is designed for automated enrollment and certificate management. For more information on EST, see RFC7030.

Certificate System now supports OAEP key wrapping algorithm support

Support for Optimal Asymmetric Encryption Padding (OAEP) key wrapping algorithm has been added to RHCS in favor of the older PKCS#1 algorithm. Newer HSM devices and later FIPS-enabled versions of NSS often require this algorithm for use.

Certificate System supports purging of expired certificates

You can now configure CA database pruning, which allows you purge expired certificates and certificate request records from the CA database. Previously, there was no method for doing this and the database continued to grow and it had the potential to causes issues with stored, performance degradation and increased costs.

Added password policy to enforce configured password complexity

A new password policy option has been provided to enforce the password quality defined by the user during the enrollment with server-sde key generation. This enables customers to increase the security of exchanged PKCS #12 files with generated certificates and keys.

ACME is now fully supported in RHCS

Server certificate issuance via an Automated Certificate Management Environment (ACME) responder is now fully supported in Red Hat Certificate System (RHCS). The ACME responder supports the ACME v2 protocol (RFC 8555).

The Pretty Print Certificate utility now displays the Inhibit Any-Policy extension correctly in a certificate

Previously, if you used the Pretty Print Certificate utility to view a certificate, the Inhibit Any-Policy extension displayed incorrectly, only displaying the OID value and not the extension name.

TPS requires adding anonymous bind ACI access

In previous versions, the anonymous bind ACI was allowed by default, but it is now disabled in LDAP. Consequently, this prevents enrolling or formatting TPS smart cards.

Issues reinstalling after removing instances using pkidestroy or pki-server remove

If you install a CA instance and remove it using either the pkidestroy or pki-server remove commands, if you try to install the CA instance again, an installation error is returned:

Cloning KRA with HSM fails due to missing attribute in auditSigningCert

When cloning a Key Recovery Authority (KRA) with Hardware Security Module (HSM), the auditSigningCert trust attribute u,u,Pu should get synced implicitly in the alias DB between the master and the clone. However, it now fails to replicate in the clone’s alias DB. As a consequence, cloning a KRA with HSM fails with the error auditSigningCert cert-topology-02-KRA KRA is invalid: Invalid certificate: (-8101) Certificate type not approved for application.

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System

Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of Certificate System. As a consequence, Certificate System might become unstable and manual steps are required to recover the system.

ACME support in RHCS available as Technology Preview

Server certificate issuance via an Automated Certificate Management Environment (ACME) responder is available for Red Hat Certificate System (RHCS). The ACME responder supports the ACME v2 protocol (RFC 8555).

TPS requires adding anonymous bind ACI access

In previous versions, the anonymous bind ACI was allowed by default, but it is now disabled in LDAP. Consequently, this prevents enrolling or formatting TPS smart cards.

Cloning KRA with HSM fails due to missing attribute in auditSigningCert

When cloning a Key Recovery Authority (KRA) with Hardware Security Module (HSM), the auditSigningCert trust attribute u,u,Pu should get synced implicitly in the alias DB between the master and the clone. However, it now fails to replicate in the clone’s alias DB. As a consequence, cloning a KRA with HSM fails with the error auditSigningCert cert-topology-02-KRA KRA is invalid: Invalid certificate: (-8101) Certificate type not approved for application.

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System

Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of Certificate System. As a consequence, Certificate System might become unstable and manual steps are required to recover the system.

Certificate System packages rebased to version 10.13.0

The pki-core, redhat-pki, redhat-pki-theme, and pki-console packages have been upgraded to upstream version 10.13.0, which provides a number of bug fixes and enhancements over the previous version.

ACME support in RHCS available as Technology Preview

Server certificate issuance via an Automated Certificate Management Environment (ACME) responder is available for Red Hat Certificate System (RHCS). The ACME responder supports the ACME v2 protocol (RFC 8555).

TPS now properly enforces Token Profile Separation for tps-cert-find

With this fix, the tps-cert-find command now properly restricts entries such as Token ID, User ID, Status, Date, according to the user profile, in a similar manner to the tps-token-find command.

Tokens are now displayed properly on the TPS Web UI

Previously, when formatting and enrolling a token via the tpsclient tool or adding a token via the Web UI, none of the tokens were visible on the TPS Web UI, although debug logs showed the entries getting recorded successfully. With this fix, the Web UI now lists all the tokens properly.

pki-server ca-cert-request-show no longer fails when writing to a file

Previously, the pki-server ca-cert-request-show <request_id> -i <instance> --output-file <output_file> command failed with the following error: ERROR: a bytes-like object is required, not 'str'. This fix encodes the certificate request as bytes before writing to the file. As a result, the command should now export the certificate successfully.

TPS requires adding anonymous bind ACI access

In previous versions, the anonymous bind ACI was allowed by default, but it is now disabled in LDAP. Consequently, this prevents enrolling or formatting TPS smart cards.

Cloning KRA with HSM fails due to missing attribute in auditSigningCert

When cloning a KRA with HSM, the auditSigningCert trust attribute u,u,Pu should get synced implicitly in the alias DB between the master and the clone. However, it now fails to replicate in the clone’s alias DB. As a consequence, cloning a KRA with HSM fails with the error auditSigningCert cert-topology-02-KRA KRA is invalid: Invalid certificate: (-8101) Certificate type not approved for application.

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System

Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of Certificate System. As a consequence, Certificate System might become unstable and manual steps are required to recover the system.

Certificate System packages rebased to version 10.12.4

The pki-core, redhat-pki, redhat-pki-theme, and pki-console packages have been upgraded to upstream version 10.12.4, which provides a number of bug fixes and enhancements over the previous version.

ACME support in RHCS available as Technology Preview

Server certificate issuance via an Automated Certificate Management Environment (ACME) responder is available for Red Hat Certificate System (RHCS). The ACME responder supports the ACME v2 protocol (RFC 8555).

Completing a secure channel with certain SCP03 and SCP01 tokens no longer fails due to pcsc-lite, pcsc-lite-ccid, and esc

As of the release of Red Hat Certificate System 10.2, an issue with pcsc-lite, pcsc-lite-ccid, and esc packages led to failures to complete a secure channel with certain SCP03 and SCP01 tokens. This has been fixed by a subsequent batch update.

SubCA two-step installation no longer fails while validating the SubCA signing certificate

Previously, installing a SubCA using the two-step method failed in an HSM environment with FIPS enabled: with either of the RSA or ECC options, attempting to validate the SubCA signing certificate returned an error. This fix changes the pki cli command from nss-import-cert to client-import-cert and --cert `to `--ca-cert. As a result, the CA signing cert is imported properly into the nssdb with trust. In addition, if pkispawn fails the pki-server subsystem-cert-validate call, this patch allows to provide more details on the failure while allowing pkispawn to complete. This would allow admins to manually add the CA signing certificate, although the aforementioned fix should now prevent the issue from happening.

TPS requires adding anonymous bind ACI access

In previous versions, the anonymous bind ACI was allowed by default, but it is now disabled in LDAP. Consequently, this prevents enrolling or formatting TPS smart cards.

Tokens are not visible on the TPS Web UI

When formatting and enrolling a token via the tpsclient tool or adding a token via the Web UI, none of the tokens are visible on the TPS Web UI, although debug logs show the entries getting recorded successfully.

Cloning KRA with HSM fails due to missing attribute in auditSigningCert

When cloning a KRA with HSM, the auditSigningCert trust attribute u,u,Pu should get synced implicitly in the alias DB between the master and the clone. However, it now fails to replicate in the clone’s alias DB. As a consequence, cloning a KRA with HSM fails with the error auditSigningCert cert-topology-02-KRA KRA is invalid: Invalid certificate: (-8101) Certificate type not approved for application.

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System

Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of Certificate System. As a consequence, Certificate System might become unstable and manual steps are required to recover the system.

Certificate System packages rebased to version 10.10.5

The pki-core, redhat-pki, redhat-pki-theme, and pki-console packages have been upgraded to upstream version 10.10.5, which provides a number of bug fixes and enhancements over the previous version.

ACME support in RHCS available as Technology Preview

Server certificate issuance via an Automated Certificate Management Environment (ACME) responder is available for Red Hat Certificate System (RHCS). The ACME responder supports the ACME v2 protocol (RFC 8555).

Certificates issued by PKI ACME Responder connected to PKI CA no longer fail OCSP validation

Previously, the default ACME certificate profile provided by PKI CA contained a sample OCSP URL that did not point to an actual OCSP service. As a consequence, if PKI ACME Responder was configured to use a PKI CA issuer, the certificates issued by the responder could fail OCSP validation. This update removes hard-coded URLs in the ACME certificate profile and adds an upgrade script to fix the profile configuration file in case you did not customize it.

pki-tools files are now in a single folder

The following files from the pki-tools package were in separate java-tools and native-tools folders:

Known issue with pcsc-lite, pcsc-lite-ccid, and esc

As of the release date of Red Hat Certificate System 10.2, a known issue with the versions of the pcsc-lite, pcsc-lite-ccid, and esc packages that are currently available may lead to failures to complete a secure channel with certain SCP03 and SCP01 tokens. The forthcoming batch update for RHEL 8.4 will provide corrected versions of these packages.

Cloning KRA with HSM is failing

Cloning KRA with HSM is failing with the error auditSigningCert cert-topology-02-KRA KRA is invalid: Invalid certificate: (-8101) Certificate type not approved for application in the debug log of the clone.

SubCA two-step installation fails while validating the SubCA signing certificate

Installing a SubCA using the two-step method fails in an HSM environment with FIPS enabled. With either of the RSA or ECC options, validating the SubCA signing certificate returns an error.

TPS requires adding anonymous bind ACI access

In previous versions, the anonymous bind ACI was allowed by default, but it is now disabled in LDAP. Consequently, this prevents enrolling or formatting TPS smart cards.

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System

Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of Certificate System. As a consequence, Certificate System might become unstable and manual steps are required to recover the system.

Certificate System packages rebased to version 10.9.0

The pki-core, redhat-pki, redhat-pki-theme, and pki-console packages have been upgraded to upstream version 10.9.0, which provides a number of bug fixes and enhancements over the previous version.

JSS now provides a FIPS-compliant SSLContext

Previously, Tomcat used the SSLEngine directive from the Java Cryptography Architecture (JCA) SSLContext class. The default SunJSSE implementation is not compliant with the Federal Information Processing Standard (FIPS), therefore PKI now provides a FIPS-compliant implementation via JSS.

Server-Side keygen Enrollment

Many newer versions of browsers have removed the functionality to generate PKI keys and CRMF support for key archival. To resolve this deficiency, Red Hat Certificate System 10.1 introduces a Server-Side Keygen enrollment mechanism: keys are generated on the KRA server and then transferred securely back to the client in PKCS#12.

CA Certificate Transparency with Embedded Signed Certificate Time stamp

Red Hat Certificate System now offers a basic version of Certificate Transparency (CT) V1 support (rfc 6962). It has the capability of issuing certificates with embedded Signed Certificate Time stamps (SCTs) from any trusted log where each deployment site chooses to have its root CA certificate included. The system can be configured to support multiple CT logs. For this feature to work, a minimum of one trusted CT log is required.

Checking the overall health of your public key infrastructure is now available

The pki-healthcheck tool provides several checks that help you find and report error conditions that may impact the health of your public key infrastructure (PKI) environment.

PKI now supports the RSA PSS (Probabilistic Signature Scheme) signing algorithm

With this enhancement, PKI now supports the RSA PSS (Probabilistic Signature Scheme) signing algorithm. To enable this feature, set the following line in the pkispawn script file for a given subsystem: pki_use_pss_rsa_signing_algorithm=True

ACME support in RHCS available as Technology Preview

Server certificate issuance via an Automated Certificate Management Environment (ACME) responder is available for Red Hat Certificate System (RHCS). The ACME responder supports the ACME v2 protocol (RFC 8555).

Auditors group now available for TPS installations

Previously, LDAP lacked a group entry for TPS-specific Auditors. New installations now feature a default TPS Auditors group. Existing instances require a manual LDAP procedure in order to use this group.

TPS requires adding anonymous bind ACI access

In previous versions, the anonymous bind ACI was allowed by default, but it is now disabled in LDAP. Consequently, this prevents enrolling or formatting TPS smart cards.

Certificates issued by PKI ACME Responder connected to PKI CA may fail OCSP validation

The default ACME certificate profile provided by PKI CA contains a sample OCSP URL that does notpoint to an actual OCSP service. As a consequence, if PKI ACME Responder is configured to use a PKI CA issuer, the certificates issued by the responder may fail OCSP validation

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System

Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of Certificate System. As a consequence, Certificate System might become unstable and manual steps are required to recover the system.

Certificate System packages rebased to version 10.8.3

The pki-core, redhat-pki, redhat-pki-theme, and pki-console packages have been upgraded to upstream version 10.8.3, which provides a number of bug fixes and enhancements over the previous version.

Checking the overall health of your public key infrastructure is now available as a Technology Preview

The pki-healthcheck tool provides several checks that help you find and report error conditions that may impact the health of your public key infrastructure (PKI) environment.

The pki subsystem-cert-find and pki subsystem-cert-show commands now show the serial number of certificates

With this enhancement, the pki subsystem-cert-find and pki subsystem-cert-show commands in Certificate System show the serial number of certificates in their output. The serial number is an important piece of information and often required by multiple other commands. As a result, identifying the serial number of a certificate is now easier.

The pki user and pki group commands have been deprecated in Certificate System

With this update, the new pki <subsystem>-user and pki <subsystem>-group commands replace the pki user and pki group commands in Certificate System. The replaced commands still work, but they display a message that the command is deprecated and refer to the new commands.

Certificate System now supports offline renewal of system certificates

With this enhancement, administrators can use the offline renewal feature to renew system certificates configured in Certificate System. When a system certificate expires, Certificate System fails to start. As a result of the enhancement, administrators no longer need workarounds to replace an expired system certificate.

Certificate System can now create CSRs with SKI extension for external CA signing

With this enhancement, Certificate System supports creating a certificate signing request (CSR) with the Subject Key Identifier (SKI) extension for external certificate authority (CA) signing. Certain CAs require this extension either with a particular value or derived from the CA public key. As a result, administrators can now use the pki_req_ski parameter in the configuration file passed to the pkispawn utility to create a CSR with SKI extension.

ACME support in RHCS available as Technology Preview

Server certificate issuance via an Automated Certificate Management Environment (ACME) responder is available for Red Hat Certificate System (RHCS). The ACME responder supports the ACME v2 protocol (RFC 8555).

The pkidestroy utility now picks the correct instance

Previously, the pkidestroy --force command executed on a half-removed instance picked the pki-tomcat instance by default, regardless of the instance name specified with the -i instance option. As a consequence, this removed the pki-tomcat instance instead of the intended instance, and the --remove-logs option did not remove the intended instance’s logs. pkidestroy now applies the right instance name, removing only the intended instance’s leftovers.

The Nuxwdog service no longer fails to start the PKI server in HSM environments

Previously, due to bugs, the keyutils package was not installed as a dependency of the pki-core package. Additionally, the Nuxwdog watchdog service failed to start the public key infrastructure (PKI) server in environments that use a hardware security module (HSM). These problems have been fixed. As a result, the required keyutils package is now installed automatically as a dependency, and Nuxwdog starts the PKI server as expected in environments with HSM.

Certificate System no longer logs SetAllPropertiesRule operation warnings when the service starts

Previously, Certificate System logged warnings on the SetAllPropertiesRule operation in the /var/log/messages log file when the service started. The problem has been fixed, and the mentioned warnings are no longer logged.

Certificate System now supports rotating debug logs

Previously, Certificate System used a custom logging framework, which did not support log rotation. As a consequence, debug logs such as /var/log/pki/ instance_name/ca/debug grew indefinitely. With this update, Certificate System uses the java.logging.util framework, which supports log rotation. As a result, you can configure log rotation in the /var/lib/pki/ instance_name/conf/logging.properties file.

The Certificate System KRA client parses Key Request responses correctly

Certificate System switched to a new JSON library. As a consequence, serialization for certain objects differed, and the Python key recovery authority (KRA) client failed to parse Key Request responses. The client has been modified to support responses using both the old and the new JSON library. As a result, the Python KRA client parses Key Request responses correctly.

TPS requires adding anonymous bind ACI access

In previous versions, the anonymous bind ACI was allowed by default, but it is now disabled in LDAP. Consequently, this prevents enrolling or formatting TPS smart cards.

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System

Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of Certificate System. As a consequence, Certificate System might become unstable and manual steps are required to recover the system.