7.5. Known Issues

Red Hat Certificate System 9.1 is affected by the following known issues:

Important

Note that this document only contains release notes for features which are not available in the base Red Hat Enterprise Linux 7.3 release. Some known issues in Red Hat Certificate System are in the pki-core, and those are documented in Red Hat Enterprise Linux 7.3 Release Notes.

CRL cannot be configured in console to update after every revocation or release from hold unless grace period is set

Currently, the Certificate Revocation List (CRL) update cannot be configured solely based on certificate revocation events. When setting full and delta CRL schedules, the Update CRL every time a certificate is revoked or released from hold option also requires you to fill out the two grace period settings.
Thus, in order to select this option you need to first select the Update CRL every option and enter a number for the Next update grace period # minutes box.

Firefox can no longer enroll a signing and an archival certificate at the same time

The caDualCert.cfg profile previously used the Mozilla cryptographic object to create two requests, one for a signing certificate and the other for an encryption certificate, with private key archival specified for the encryption certificate. Since Mozilla has removed the generateCRMFRequest() object, Red Hat Certificate System can no longer support this type of enrollment within the browser.
The following procedure specifies how to generate the same two certificates using the pki command line interface (CLI) tools. It describes manual user signing and encryption certificates enrollment.
  1. Enroll for the signing-only certificate:
    1. Create the certificate signing request (CSR) using certutil: 
      certutil -R -k rsa -g 2048 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d ./  -a -o cert.cer
    2. Send the request to the Certificate Authority (CA) using the caSigningUserCert profile: 
      pki  ca cert-request-submit --csr-file ./cert.cer --profile caSigningUserCert --subject "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US"
    3. The final certificate can be retrieved using the standard end entity (EE) graphical user interface of the product:
  2. Enroll for the encryption-only certificate:
    1. Obtain the transport certificate from the Key Recovery Authority (KRA): 
      pki -C ""  -U 'https://localhost:8443/ca'  cert-show 0x07 --encoded --output transport.pem
    2. One can make sure that certificate 0x07 is actually the transport certificate for the KRA by consulting the end entity interface of the product. If the certificate happens to have a different ID, use that one instead of 0x07.
    3. Use the CRMFPopClient command to create the CSR for the encryption certificate that will have the private key archived to the KRA.
      Here we use the caEncUserCert profile to obtain this certificate: 
      CRMFPopClient -d . -p password "secret123" -o csr -a rsa -l 2048 -n "UID=username" -f caEncUserCert -b transport.pem
    4. Get the enrollment template for the caEncUserCert profile: 
      pki -v -C "secret123" -U https://localhost:8443/ca cert-request-profile-show caEncUserCert --output encuser.xml
    5. Sanitize the line endings in the csr file you just created: 
      dos2unix csr
    6. Fill in the enrollment template as follows: 
      cert_request_type = crmf
cert_request = <copied certificate request blob from the file csr>
sn_cn = <your cn value>
    7. Submit the final request to the CA: 
      pki -v -C "secret123" -U https://localhost.localdomain:8443/ca cert-request-submit encuser.xml
The terminal should print out success or failure of the enrollment.
If the enrollment is successful, the agent can approve this request, issuing the certificate. Note that the approval will trigger an archival of the encryption key to the KRA.
The EE interface of the product can be used to obtain the new encryption certificate.

caUserCert profile request using Internet Explorer 10 results in an Invalid request error

Currently, when trying to submit request using caUserCert profile using Internet Explorer 10 from Windows 7, the request results in the "Invalid request" error. The following procedure specifies how to work around this problem.
  1. Go to the Internet Options/Advanced/Security section and uncheck the TLS 1.2 box to connect to the SSL port.
  2. Go to the End Entity page which allows downloading and importing the CA certificate chain. Add the CA certificate to the Trusted CAs list.
  3. Go to Internet Options and enter the Security tab. Add the SSL url to the Trusted Sites list. Set the security slider to medium high or, alternatively, choose medium or below if trying to troubleshoot problems.
  4. Go to the Compatibility View Settings settings by clicking the Tools dropdown menu on the right and add the site to the list. Alternatively, enable the view for intranet sites or all sites.
  5. Go to the usual dual use profile enrollment page. The browser will probably issue a warning that a cryptographic operation is about to occur. Accept that by clickign OK. At this point the display should have a drop down list next to the key size list that contains the Communication Service Providers (CSPs). If this list is not empty, attempt an enrollment.

The console does not enable a separate ticking of the Update CRL every time a certificate is revoked or released from hold option

Currently, when setting full and delta CRL schedules, the Update CRL every time a certificate is revoked or released from hold option also requires you to fill out the two grace period settings. Thus, in order to select the Update CRL every time a certificate is revoked or released from hold option you need to first select the Update CRL every option and enter a number for the Next update grace period # minutes box.

Additional steps needed when uninstalling TPS

Due to a known issue, you must perform some additional steps when uninstalling the Token Processing System which were not necessary in earlier versions. See the pkidestroy(8) man page for instructions.