이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 2. Red Hat Certificate System 10.4 on Red Hat Enterprise Linux 8.6


This section describes significant changes in Red Hat Certificate System 10.4 on RHEL 8.6, such as highlighted updates and new features, important bug fixes, and current known issues users should be aware of.

Note

Downgrading Red Hat Certificate System to a previous minor version is not supported.

2.1. Updates and new features in CS 10.4

This section documents new features and important updates in Red Hat Certificate System 10.4:

Updates and new features in the pki-core package:

Certificate System packages rebased to version 10.13.0

The pki-core, redhat-pki, redhat-pki-theme, and pki-console packages have been upgraded to upstream version 10.13.0, which provides a number of bug fixes and enhancements over the previous version.

2.2. Technology Previews

ACME support in RHCS available as Technology Preview

Server certificate issuance via an Automated Certificate Management Environment (ACME) responder is available for Red Hat Certificate System (RHCS). The ACME responder supports the ACME v2 protocol (RFC 8555).

Previously, users had to use the Certificate Authority (CA)'s proprietary certificate signing request (CSR) submission routines. The routines sometimes required certificate authority (CA) agents to manually review the requests and issue the certificates.

The RHCS ACME responder now provides a standard mechanism for automatic server certificate issuance and life cycle management without involving CA agents. The feature allows the RHCS CA to integrate with existing certificate issuance infrastructure to target public CAs for deployment and internal CAs for development.

Note that this Technology Preview only includes an ACME server support. No ACME client is shipped as part of this release. Additionally, this ACME preview does not retain issuance data or handle user registration.

Be aware that future Red Hat Enterprise Linux updates can potentially break ACME installations.

For more information, see the IETF definition of ACME.

Note

Note that this feature is offered as a technology preview, provides early access to upcoming product functionality, and is not yet fully supported under subscription agreements.

2.3. Bug fixes in CS 10.4

This part describes bugs fixed in Red Hat Certificate System 10.4 that have a significant impact on users.

TPS now properly enforces Token Profile Separation for tps-cert-find

With this fix, the tps-cert-find command now properly restricts entries such as Token ID, User ID, Status, Date, according to the user profile, in a similar manner to the tps-token-find command.

Tokens are now displayed properly on the TPS Web UI

Previously, when formatting and enrolling a token via the tpsclient tool or adding a token via the Web UI, none of the tokens were visible on the TPS Web UI, although debug logs showed the entries getting recorded successfully. With this fix, the Web UI now lists all the tokens properly.

Bug fixes in the pki-core package:

pki-server ca-cert-request-show no longer fails when writing to a file

Previously, the pki-server ca-cert-request-show <request_id> -i <instance> --output-file <output_file> command failed with the following error: ERROR: a bytes-like object is required, not 'str'. This fix encodes the certificate request as bytes before writing to the file. As a result, the command should now export the certificate successfully.

2.4. Known issues in CS 10.4

This part describes known problems users should be aware of in Red Hat Certificate System 10.4, and, if applicable, workarounds.

TPS requires adding anonymous bind ACI access

In previous versions, the anonymous bind ACI was allowed by default, but it is now disabled in LDAP. Consequently, this prevents enrolling or formatting TPS smart cards.

To work around this problem until a fix, you need to add the anonymous bind ACI in Directory Server manually:

$ ldapmodify -D "cn=Directory Manager" -W -x -p 3389 -h hostname -x <<EOF
dn: dc=example,dc=org
changetype: modify
add: aci
aci: (targetattr!="userPassword || aci")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
EOF

Known issues in the pki-core package:

Cloning KRA with HSM fails due to missing attribute in auditSigningCert

When cloning a KRA with HSM, the auditSigningCert trust attribute u,u,Pu should get synced implicitly in the alias DB between the master and the clone. However, it now fails to replicate in the clone’s alias DB. As a consequence, cloning a KRA with HSM fails with the error auditSigningCert cert-topology-02-KRA KRA is invalid: Invalid certificate: (-8101) Certificate type not approved for application.

To work around this problem, you must add the u,u,Pu trust attribute for auditSigningCert explicitly in the alias DB of the clone KRA and restart the instance. For example:

  • Before the workaround:

    # certutil -vv -V -d /var/lib/pki/clone-KRA/alias/ -h nfast -n 'token:auditSigningCert cert-topology-02-KRA KRA' -u J
      Enter Password or Pin for "token":
      certutil: certificate is invalid: Certificate type not approved for application.
  • After the workaround:

    # certutil -M -d /var/lib/pki/clone-KRA/alias/ -n 'token:auditSigningCert cert-topology-02-KRA KRA' -t u,u,Pu
    # certutil -vv -V -d /var/lib/pki/clone-KRA/alias/ -h nfast -n 'token:auditSigningCert cert-topology-02-KRA KRA' -u J
      Enter Password or Pin for "token":
      certutil: certificate is valid

Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System

Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of Certificate System. As a consequence, Certificate System might become unstable and manual steps are required to recover the system.

Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.