RHBA-2025:3401 - Bug Fix Advisory

Topic

Updated CA packages that fix several bugs and add various enhancements are now available.

Description

Red Hat Certificate System (RHCS) is a complete implementation of an
enterprise software system designed to manage enterprise Public Key
Infrastructure (PKI) deployments.

Many of the subcomponents that comprise RHCS, such the Tomcat servlet
container, the RESTEasy framework, and the Network Security Services (NSS)
libraries, are provided by the base operating system. RHCS only supports
the default versions of these subcomponents that ship with Red Hat
Enterprise Linux 8.10.

This update fixes the following bugs:

Enhancement(s) and Bug fix(es):

Unable to add TPS profile via TPS UI (BZ1875637)

Cloning KRA with HSM is failing with the error 'auditSigningCert cert-topology-02-KRA KRA is invalid: Invalid certificate: (-8101) Certificate type not approved for application.' in KRA clone debug log (BZ1911262)

ca-profile-add failing for profile with 1day validity (BZ2012873)

Directory authentication plugin requires directory admin password just for user authentication (rhcs-10.8) (BZ2017514)

[RFE] kra-key-find CLI doesn't have the option to fetch keys corresponding to a specific token owner (BZ2045101)

Unable to list/search certificates based on Token ID in the TPS UI (BZ2049901)

Unable to enroll certificate with JSON inputs (BZ2053189)

TPS web UI not accessible using default admin cert (BZ2054227)

certificate decoding - Identifier: 2.5.29.54 / inhibitAnyPolicy "pretty print" is not interpreted (BZ2061596)

<subsystem>-user-membership-add allows adding members that do not exist (BZ2070335)

change the redhat-pki module Summary field to show the product version (BZ2079635)

CVE-2022-2393 redhat-pki:10/pki-core: When using the caServerKeygen_DirUserCert profile, user can get certificates for other UIDs by entering name in Subject field [certificate_system_10] (BZ2101897)

Unable to start PKI subsystems while DS is down (BZ2104161)

CVE-2022-2393 pki-core: When using the caServerKeygen_DirUserCert profile, user can get certificates for other UIDs by entering name in Subject field [rhcs_10.8] (BZ2111476)

pkcs7-encryptedData parsing error (BZ2115765)

Some unsusable profiles are present in CA's EE page [RHCS 10.8] (BZ2118663)

"Request in queue" listener no longer listens (BZ2126212)

pki pkcs12-key-del operation converting the hex key to decimal in output result (BZ2127190)

TPS token status cannot be changed from the web UI (BZ2165098)

TPS Not allowing Token Status Change based on Revoke True/False and Hold till last True/False [RHCS 10.8] (BZ2166002)

module install redhat-pki fetching resteasy from RHEL Appstream instead of RHCS repo (BZ2177616)

Unable to use the TPS UI "Token Filter" to filter a list of tokens [RHCS 10.8] (BZ2178816)

Unable to use the TPS UI "Token Filter" to filter a list of tokens [RHCS 10.3] (BZ2179306)

add AES support for TMS server-side keygen on latest HSM / FIPS environment [RHCS 10.8] (BZ2180922)

Coolkey Hardcoded RSA Max Key Size [RHCS 10.6] (BZ2180926)

TPS Not allowing Token Status Change based on Revoke True/False and Hold till last True/False (part 2) [RHCS 10.6] (BZ2181144)

SHA1 is not working with RHCS 10.8 (BZ2182085)

Request id and cert serial num are shown in Dec number instead of hex in Audit logs (BZ2182836)

Generate a CSR in two step installation with non default SKI value in CA config file is failing (BZ2184288)

pki instance creation fails for IPA server in FIPS mode [rhcs-10.8] (BZ2184486)

User-friendly error and error message optimization required at PKI ca-audit-mod --input junk_file.conf instead of 'com.fasterxml.jackson.core.JsonParseException: Unrecognized token' error [rhcs-10.8] (BZ2184488)

PKI CLI operation parses the wrong result for i18n characters like 'OrjanAke' [rhcs-10.8] (BZ2184490)

pki-healthcheck ClonesConnectivyAndDataCheck fails [rhcs-10.8] (BZ2184491)

pki pkcs12-cert-add command failing with 'Unable to validate PKCS #12 file: Digests do not match' exception [rhcs-10.8] (BZ2184493)

IdM Install fails on RHEL 8.5 Beta when DISA STIG is applied [rhcs-10.8] (BZ2184494)

kra-key-retrieve failed to accept xml input format to generate .p12 key through cli [rhcs-10.8] (BZ2184497)

Verify bug #2046023 is resolved on RHCS 10.8 (BZ2184498)

CA installation failing with HSM [rhcs-10.8] (BZ2184504)

Error displayed should be user friendly in case RSNv3 certificate serial number collision [rhcs-10.8] (BZ2184505)

Volkswagen Siemens CardOS M4.4 and 5.0 cards display incorrect status in ESC [rhcs-10.8] (BZ2184508)

[RFE] Random Serial Number v3 Support [rhcs-10.8] (BZ2184509)

CA installation with RSA/PSS signing algorithm is failing with error 'CertificateException: Unable to parse certificate data: java.lang.Exception: java.security.NoSuchProviderException: no such provider: Mozilla-JSS' [rhcs-10.8] (BZ2184510)

PKI cert-fix operation failing [rhcs-10.8] (BZ2184511)

SKI field is not reflected back in generated CSR while performing two step installation [rhcs-10.8] (BZ2184512)

Verify bug #2107336 is resolved on RHCS 10.8 (BZ2184513)

ESC does not detect smart cards and crashes upon launch [rhcs-10.8] (BZ2184516)

Verify bug #1960143 is resolved on RHCS 10.8 (BZ2184518)

ipa cert-request ssl error [rhcs-10.8] (BZ2184520)

Reinstall of the same ipa-replica fails with 'RuntimeError: CA configuration failed.' [rhcs-10.8] (BZ2184521)

[RFE] Provide EST Responder (RFC 7030) [rhcs-10.8] (BZ2184522)

[RFE] Automatic expired certificate purging [rhcs-10.8] (BZ2184523)

JSS cannot be properly initialized after using another NSS-backed security provider [rhcs-10.8] (BZ2184524)

pki-tomcat/kra unable to decrypt when using RSA-OAEP padding in RHEL9 with FIPS enabled [rhcs-10.8] (BZ2184525)

Invalid certificates with creation of subCA (pkispawn single step) [rhcs-10.8] (BZ2184526)

javax.activation and jaxb-api jar files are not found in redhat-pki-0:11.4.0-1 module (BZ2188716)

OCSP Responder signing algorithm displayed twice for first item (BZ2193458)

Implement ServerSide KeyGen Password Complexity Checks for pkcs12 (BZ2196889)

PrettyPrintCert does not properly translate AIA information into a readable format (BZ2203136)

CC: OCSP AddCRLServlet "SEVERE...NOT SUPPORTED" log messages (BZ2203220)

PrettyPrintCert does not properly translate Subject Information Access information into a readable format (BZ2209625)

OCSP responder to serve status check for itself using latest CRL (BZ2229983)

pki_cert_chain_path does not work with cert bundle (BZ2250162)

CRMFPopClient request fails with 'Keypair Generation failed' error with FIPS enabled setup (BZ2250716)

Make key wrapping algorithm configurable between AES-KWP and AES-CBC [RHCS 10.6] (BZ2253677)

CA subsystem failed to start after the In-place update from RHCS 10.4 to 10.8 (BZ2254196)

Generating Keys with no OpsFlagMask set - ThalesHSM integration (BZ2255155)

EMBARGOED CVE-2023-4727 redhat-pki:10/pki-core: dogtag ca: token authentication bypass vulnerability [certificate_system_10.8] (BZ2268351)

pkiconsole prioritizes incompatible version of java openjdk [RHCS 10.6] (BZ2270747)

Token key recovery fails due to incorrect CBC keywrapping algorithm being used when KWP is set (BZ2275139)

pki-server subsystem-cert-export fails when exporting CSR (BZ2276139)

Rename enableOCSP to enableRevocationCheck (BZ2279576)

Enable revocation verification using CRL-DP (BZ2279577)

CC: Need to fail CRL-dp cert validation when the CRL signer is missing CRLsign Key Usage in cert (BZ2283835)

CC: Need adequate audit message for case when OCSPsign EKU is missing from the OCSP signer cert (BZ2283840)

CC: Need adequate audit message for case when OCSPsign EKU is missing from the OCSP signer cert (BZ2283842)

EST: Add installation support with pkispawn (BZ2307330)

pki-server instance-externalcert-add failure message not clear when missing trust args (BZ2313660)

Cloned CA not adhering to NextRange for serial numbers (BZ2327302)

Command pki-server subsystem-cert-find fails with error ERROR: object of type 'generator' has no len() (BZ2327705)

CA installation is failing with AVC denial (read) comm="java" name="conf" error (BZ2329318)

Error message for exhausted request range displays hexidecimal serial number from wrong variable as the maximum (BZ2332610)

PKI debug log rotation not working (BZ2332976)

Admin certificate (ca_admin_cert.p12) not updated correctly in multiple CA installations (BZ2341931)

Legacy endpoint '/ca/ug' is not available [RHCS 10.8] (BZ2342330)

Pkidestroy should remove all susbsystems and "pkiserver instance-find" should show no susbsystems left (BZ2342383)

Cert fix operation fails with - ERROR: 'Namespace' object has no attribute 'ldap_socket' (BZ2343298)

pkiconsole has incorrect sizing of buttons and missing button text (BZ2350123)

java-17-openjdk is not installed as a dependency for redhat-pki-console (BZ2350212)

Typos in user messages related to serial management V2 (BZ2350218)

EST: matching client auth cert with CSR (BZ2350630)

TPS subsystem cert unable to unwrap shared secret and TPS install fails with pki_import_shared_secret=True config (BZ2351094)

Users of Red Hat Certificate System are advised to upgrade to these updated
packages.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

Affected Products

• Red Hat Certificate System 10.8 x86_64

Fixes

• BZ - 2127190 - pki pkcs12-key-del operation converting the hex key to decimal in output result
• BZ - 2177616 - module install redhat-pki fetching resteasy from RHEL Appstream instead of RHCS repo
• BZ - 2178816 - Unable to use the TPS UI "Token Filter" to filter a list of tokens [RHCS 10.8]
• BZ - 2196889 - Implement ServerSide KeyGen Password Complexity Checks for pkcs12
• BZ - 2327302 - Cloned CA not adhering to NextRange for serial numbers
• BZ - 2350630 - EST: matching client auth cert with CSR

CVEs

(none)

References

(none)