Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

4.16. certmonger

An updated certmonger package that fixes one bug is now available for Red Hat Enterprise Linux 5.
[Updated 20 December 2011] This advisory has been updated with the correct product name (that is, Red Hat Enterprise Linux 5) in the Details section. The package included in this revised update has not been changed in any way from the package included in the original advisory.
The certmonger service monitors certificates, warning of their impending expiration, and optionally attempting to re-enroll with supported CAs (Certificate Authorities).

Bug Fix

BZ#767573
The RHSA-2011-1533 security advisory, which fixed a security vulnerability in the IPA (Identity, Policy and Audit) web-based service, caused incompatibility with older versions of certmonger. As a consequence, certmonger was unable to correctly submit enrollment requests to IPA's CA. With this update, certmonger has been modified and it now operates correctly with newer versions of IPA. Interoperability with older versions of IPA remains unaffected.
All users of certmonger are advised to upgrade to this updated package, which fixes this bug.
An updated certmonger package is now available for Red Hat Enterprise Linux 6.
The certmonger service monitors certificates, warning of their impending expiration, and optionally attempting to re-enroll with supported CAs (Certificate Authorities).

Bug Fix

BZ#729803
When submitting a signing request to a Red Hat IPA (Identity, Policy, Audit) CA, certmonger is expected to authenticate using the client's host credentials, and to delegate the client's credentials to the server. Recent updates to libraries on which certmonger depends changed delegation of client credentials from a mandatory operation to an optional operation that is no longer enabled by default, which effectively broke certmonger's support for IPA CAs.
This update gives certmonger the ability to explicitly request credential delegation when used with newer versions of these libraries, which introduce an API that allows certmonger to explicitly request that credential delegation be performed.
All certmonger users should upgrade to this updated package, which fixes this bug.
An updated certmonger package that fixes multiple bugs and adds one enhancement is now available for Red Hat Enterprise Linux 5.
The certmonger service monitors certificates as the date at which they become invalid approaches, optionally attempting to re-enroll with a supported certificate authority (CA) to keep the services which use the certificates running without incident.
The certmonger service, which was initially introduced as a Technology Preview, is now fully-supported. (BZ#665317)

Bug Fixes

BZ#712072
Prior to this update, ipa-getcert list calls from non-root users logged the misleading message ""Number of certificates and requests being tracked: 0". This update modifies the underlying code to display the correct message "Insufficient access. Please retry operation as root." when non-root users call ipa-getcert list.
BZ#756745
Prior to this update, starting the certmonger service as non-root user looged the uninformative message "Error connecting to D-Bus.". This update modifies the underlying code to display the correct message "Insufficient access. Please retry operation as root." when non-root users start the certmonger service.
BZ#757883
Prior to this update, the IPA web-based service was not compatibile with certmonger. As a consequence, certmonger was unable to correctly submit enrollment requests to IPA's CA. With this update, certmonger has been modified and it now operates correctly with newer versions of IPA.

Enhancement

BZ#727864
Prior to this update, libcurl could not delegate Kerberos tickets via XML-RPC to authenticate with Identity, Policy and Audit (IPA). This update adds support for the xmlrpc-c API to allow for Generic Security Services Application Program Interface (GSSAPI) delegation.
All users of the certmonger service are advised to upgrade to this updated package, which fixes these bugs and adds this enhancement.