Chapter 4. Red Hat Certificate System 10.2 on Red Hat Enterprise Linux 8.4
This section describes significant changes in Red Hat Certificate System 10.2 on RHEL 8.4, such as highlighted updates and new features, important bug fixes, and current known issues users should be aware of.
Downgrading Red Hat Certificate System to a previous minor version is not supported.
4.1. Updates and new features in CS 10.2
This section documents new features and important updates in Red Hat Certificate System 10.2:
Updates and new features in the pki-core package:
Certificate System packages rebased to version 10.10.5
The pki-core, redhat-pki, redhat-pki-theme, and pki-console packages have been upgraded to upstream version 10.10.5, which provides a number of bug fixes and enhancements over the previous version.
4.2. Technology Previews
ACME support in RHCS available as Technology Preview
Server certificate issuance via an Automated Certificate Management Environment (ACME) responder is available for Red Hat Certificate System (RHCS). The ACME responder supports the ACME v2 protocol (RFC 8555).
Previously, users had to use the Certificate Authority (CA)'s proprietary certificate signing request (CSR) submission routines. The routines sometimes required certificate authority (CA) agents to manually review the requests and issue the certificates.
The RHCS ACME responder now provides a standard mechanism for automatic server certificate issuance and life cycle management without involving CA agents. The feature allows the RHCS CA to integrate with existing certificate issuance infrastructure to target public CAs for deployment and internal CAs for development.
Note that this Technology Preview only includes an ACME server support. No ACME client is shipped as part of this release. Additionally, this ACME preview does not retain issuance data or handle user registration.
Be aware that future Red Hat Enterprise Linux updates can potentially break ACME installations.
For more information, see the IETF definition of ACME.
Note that this feature is offered as a technology preview, provides early access to upcoming product functionality, and is not yet fully supported under subscription agreements.
4.3. Bug fixes in CS 10.2
This part describes bugs fixed in Red Hat Certificate System 10.2 that have a significant impact on users.
Bug fixes in the pki-core package:
Certificates issued by PKI ACME Responder connected to PKI CA no longer fail OCSP validation
Previously, the default ACME certificate profile provided by PKI CA contained a sample OCSP URL that did not point to an actual OCSP service. As a consequence, if PKI ACME Responder was configured to use a PKI CA issuer, the certificates issued by the responder could fail OCSP validation. This update removes hard-coded URLs in the ACME certificate profile and adds an upgrade script to fix the profile configuration file in case you did not customize it.
pki-tools files are now in a single folder
The following files from the pki-tools package were in separate java-tools and native-tools folders:
- /usr/share/pki/java-tools/DRMTool.cfg
- /usr/share/pki/java-tools/KRATool.cfg
- /usr/share/pki/native-tools/setpin.conf
For consistency, they are now merged into a single folder:
- /usr/share/pki/tools/DRMTool.cfg
- /usr/share/pki/tools/KRATool.cfg
- /usr/share/pki/tools/setpin.conf
4.4. Known issues in CS 10.2
This part describes known problems users should be aware of in Red Hat Certificate System 10.2, and, if applicable, workarounds.
Known issue with pcsc-lite, pcsc-lite-ccid, and esc
As of the release date of Red Hat Certificate System 10.2, a known issue with the versions of the pcsc-lite, pcsc-lite-ccid, and esc packages that are currently available may lead to failures to complete a secure channel with certain SCP03 and SCP01 tokens. The forthcoming batch update for RHEL 8.4 will provide corrected versions of these packages.
Cloning KRA with HSM is failing
Cloning KRA with HSM is failing with the error auditSigningCert cert-topology-02-KRA KRA is invalid: Invalid certificate: (-8101) Certificate type not approved for application in the debug log of the clone.
SubCA two-step installation fails while validating the SubCA signing certificate
Installing a SubCA using the two-step method fails in an HSM environment with FIPS enabled. With either of the RSA or ECC options, validating the SubCA signing certificate returns an error.
TPS requires adding anonymous bind ACI access
In previous versions, the anonymous bind ACI was allowed by default, but it is now disabled in LDAP. Consequently, this prevents enrolling or formatting TPS smart cards.
To work around this problem until a fix, you need to add the anonymous bind ACI in Directory Server manually:
$ ldapmodify -D "cn=Directory Manager" -W -x -p 3389 -h hostname -x <<EOF
dn: dc=example,dc=org
changetype: modify
add: aci
aci: (targetattr!="userPassword || aci")(version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";)
EOFKnown issues in the pki-core package:
Using the cert-fix utility with the --agent-uid pkidbuser option breaks Certificate System
Using the cert-fix utility with the --agent-uid pkidbuser option corrupts the LDAP configuration of Certificate System. As a consequence, Certificate System might become unstable and manual steps are required to recover the system.
