Chapter 6. Red Hat Certificate System 10.0 on Red Hat Enterprise Linux 8.2
This section describes significant changes in Red Hat Certificate System 10.0 on RHEL 8.2, such as highlighted updates and new features, important bug fixes, and current known issues users should be aware of.
6.1. Updates and new features in CS 10.0
This section documents new features and important updates in Red Hat Certificate System 10.0:
Certificate System packages rebased to version 10.8.3
The pki-core, redhat-pki, redhat-pki-theme, and pki-console packages have been upgraded to upstream version 10.8.3, which provides a number of bug fixes and enhancements over the previous version.
Updates and new features in the pki-core package:
Checking the overall health of your public key infrastructure is now available as a Technology Preview
The pki-healthcheck tool provides several checks that help you find and report error conditions that may impact the health of your public key infrastructure (PKI) environment.
Note that this feature is offered as a technology preview, provides early access to upcoming product functionality, and is not yet fully supported under subscription agreements.
The pki subsystem-cert-find and pki subsystem-cert-show commands now show the serial number of certificates
With this enhancement, the pki subsystem-cert-find and pki subsystem-cert-show commands in Certificate System show the serial number of certificates in their output. The serial number is an important piece of information and often required by multiple other commands. As a result, identifying the serial number of a certificate is now easier.
The pki user and pki group commands have been deprecated in Certificate System
With this update, the new pki <subsystem>-user and pki <subsystem>-group commands replace the pki user and pki group commands in Certificate System. The replaced commands still work, but they display a message that the command is deprecated and refer to the new commands.
Certificate System now supports offline renewal of system certificates
With this enhancement, administrators can use the offline renewal feature to renew system certificates configured in Certificate System. When a system certificate expires, Certificate System fails to start. As a result of the enhancement, administrators no longer need workarounds to replace an expired system certificate.
Certificate System can now create CSRs with SKI extension for external CA signing
With this enhancement, Certificate System supports creating a certificate signing request (CSR) with the Subject Key Identifier (SKI) extension for external certificate authority (CA) signing. Certain CAs require this extension either with a particular value or derived from the CA public key. As a result, administrators can now use the pki_req_ski parameter in the configuration file passed to the pkispawn utility to create a CSR with SKI extension.
6.2. Technology Previews
ACME support in RHCS available as Technology Preview
Server certificate issuance via an Automated Certificate Management Environment (ACME) responder is available for Red Hat Certificate System (RHCS). The ACME responder supports the ACME v2 protocol (RFC 8555).
Previously, users had to use the Certificate Authority (CA)'s proprietary certificate signing request (CSR) submission routines. The routines sometimes required certificate authority (CA) agents to manually review the requests and issue the certificates.
The RHCS ACME responder now provides a standard mechanism for automatic server certificate issuance and life cycle management without involving CA agents. The feature allows the RHCS CA to integrate with existing certificate issuance infrastructure to target public CAs for deployment and internal CAs for development.
Note that this Technology Preview only includes an ACME server support. No ACME client is shipped as part of this release. Additionally, this ACME preview does not retain issuance data or handle user registration.
Be aware that future Red Hat Enterprise Linux updates can potentially break ACME installations.
For more information, see the IETF definition of ACME.
Note that this feature is offered as a technology preview, provides early access to upcoming product functionality, and is not yet fully supported under subscription agreements.
6.3. Bug fixes in CS 10.0
This part describes bugs fixed in Red Hat Certificate System 10.0 that have a significant impact on users.
Bug fixes in the pki-core package:
The pkidestroy utility now picks the correct instance
Previously, the pkidestroy --force command executed on a half-removed instance picked the pki-tomcat instance by default, regardless of the instance name specified with the -i instance option. As a consequence, this removed the pki-tomcat instance instead of the intended instance, and the --remove-logs option did not remove the intended instance’s logs. pkidestroy now applies the right instance name, removing only the intended instance’s leftovers.
The Nuxwdog service no longer fails to start the PKI server in HSM environments
Previously, due to bugs, the keyutils package was not installed as a dependency of the pki-core package. Additionally, the Nuxwdog watchdog service failed to start the public key infrastructure (PKI) server in environments that use a hardware security module (HSM). These problems have been fixed. As a result, the required keyutils package is now installed automatically as a dependency, and Nuxwdog starts the PKI server as expected in environments with HSM.
Certificate System no longer logs SetAllPropertiesRule operation warnings when the service starts
Previously, Certificate System logged warnings on the SetAllPropertiesRule operation in the /var/log/messages log file when the service started. The problem has been fixed, and the mentioned warnings are no longer logged.
Certificate System now supports rotating debug logs
Previously, Certificate System used a custom logging framework, which did not support log rotation. As a consequence, debug logs such as /var/log/pki/instance_name/ca/debug grew indefinitely. With this update, Certificate System uses the java.logging.util framework, which supports log rotation. As a result, you can configure log rotation in the /var/lib/pki/instance_name/conf/logging.properties file.
The Certificate System KRA client parses Key Request responses correctly
Certificate System switched to a new JSON library. As a consequence, serialization for certain objects differed, and the Python key recovery authority (KRA) client failed to parse Key Request responses. The client has been modified to support responses using both the old and the new JSON library. As a result, the Python KRA client parses Key Request responses correctly.
6.4. Known issues in CS 10.0
This part describes known problems users should be aware of in Red Hat Certificate System 10.0, and, if applicable, workarounds.
TPS requires adding anonymous bind ACI access
In previous versions, the anonymous bind ACI was allowed by default, but it is now disabled in LDAP. Consequently, this prevents enrolling or formatting TPS smart cards.
To work around this problem until a fix, you need to add the anonymous bind ACI in Directory Server manually:
$ ldapmodify -D "cn=Directory Manager" -W -x -p 3389 -h hostname -x <<EOF
dn: dc=example,dc=org
changetype: modify
add: aci
aci: (targetattr!="userPassword || aci")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
EOFKnown issues in the pki-core package:
Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System
Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of Certificate System. As a consequence, Certificate System might become unstable and manual steps are required to recover the system.
