CVE-2015-5284#
CVE-2015-5284#
Summary#
The ipa-kra-install command, which configures
KRA for IPA, puts the CA agent certificate and
private key to a world readable file,
/etc/httpd/alias/kra-agent.pem. This allows users on an IPA server
where ipa-kra-install was run to issue arbitrary certificates with the
IPA CA.
Affected Versions#
Impact#
Important
Fixed in Versions#
Manual Instructions#
Uninstall KRA and remove /etc/httpd/alias/kra-agent.pem on all IPA
servers:
# ipa-kra-install --uninstall# rm -f /etc/httpd/alias/kra-agent.pemCreate new CA agent certificate and private key on the CA master IPA server:
Use the following command to identify which IPA server is the CA master:
$ ldapsearch -H ``\ ```ldap://$HOSTNAME <ldap://$HOSTNAME>`__`` -D ‘cn=Directory Manager’ -W -b cn=masters,cn=ipa,cn=etc,````BASE_DN```` ‘(ipaConfigString=caRenewalMaster)’ dn``
``BASE_DN`` is the LDAP base DN configured for your IPA domain, you
can find its value in /etc/ipa/default.conf in the [global]
section under the basedn key.
Find the subject name and serial number of the CA agent certificate:
| ``# pki cert-find --name 'IPA RA' --status VALID``
| ``---------------``
| ``1 entries found``
| ``---------------``
| `` Serial Number: ``\ **``OLD_SERIAL``**
| `` Subject DN: ``\ **``SUBJECT``**
| `` Status: VALID``
| `` Type: X.509 version 3``
| `` Key Algorithm: PKCS #1 RSA with 2048-bit key``
| `` Not Valid Before: Tue Oct 06 12:45:01 CEST 2015``
| `` Not Valid After: Mon Sep 25 12:45:01 CEST 2017``
| `` Issued On: Tue Oct 06 13:22:14 CEST 2015``
| `` Issued By: ipara``
| ``----------------------------``
| ``Number of entries returned 1``
| ``----------------------------``
Note the subject name and serial number in the output of this command.
Create new temporary NSS database:
| ``# mkdir /root/tmpdb``
| ``# certutil -d /root/tmpdb -N``
| ``Enter a password which will be used to encrypt your keys.``
| ``The password should be at least 8 characters long,``
| ``and should contain at least one non-alphabetic character.``
| ``Enter new password: ``
| ``Re-enter password: ``
Create new CA agent private key and certificate request:
| ``# certutil -d /root/tmpdb -R -k rsa -g 2048 -s '``\ **``SUBJECT``**\ ``' -o /root/ca-agent.csr``
| ``Enter Password or Pin for "NSS Certificate DB":``
| ``A random seed must be generated that will be used in the``
| ``creation of your key. One of the easiest ways to create a``
| ``random seed is to use the timing of keystrokes on a keyboard.``
| ``To begin, type keys on the keyboard until this progress meter``
| ``is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!``
| ``Continue typing until the progress meter is full:``
| ``|************************************************************|``
| ``Finished. Press enter to continue: ``
| ``Generating key. This may take a few moments...``
Request new CA agent certificate from the CA:
| ``# curl "http://$HOSTNAME:8080/ca/ee/ca/profileSubmit" --data-urlencode profileId=caServerCert --data-urlencode cert_request_type=pkcs10 --data-urlencode requestor_name="IPA Installer" --data-urlencode cert_request="$(base64 -w 0 /root/ca-agent.csr)" --data-urlencode xmlOutput=true``
2Request Deferred - {0} REQUEST_ID
Note the request id in the output of this command, inside the
<RequestId> tag.
Issue the new CA agent certificate:
| ``# pki -d /etc/httpd/alias -C /etc/httpd/alias/pwdfile.txt -n ipaCert cert-request-review ``\ **``REQUEST_ID``**\ `` --action approve``
| ``-------------------------------``
| ``Approved certificate request ``\ **``REQUEST_ID``**
| ``-------------------------------``
| `` Request ID: ``\ **``REQUEST_ID``**
| `` Type: enrollment``
| `` Request Status: complete``
| `` Operation Result: success``
| `` Certificate ID: ``\ **``NEW_SERIAL``**
Note the serial number in the output of this command (shown as “Certificate ID”).
Revoke the old CA agent certificate:
| ``# pki -d /etc/httpd/alias -C /etc/httpd/alias/pwdfile.txt -n ipaCert cert-revoke ``\ **``OLD_SERIAL``**\ `` --reason Key_Compromise``
| ``Revoking certificate:``
| `` Serial Number: ``\ **``OLD_SERIAL``**
| `` Issuer: ``\ **``ISSUER``**
| `` Subject: ``\ **``SUBJECT``**
| `` Status: VALID``
| `` Not Before: Tue Oct 06 08:44:30 CEST 2015``
| `` Not After: Mon Sep 25 08:44:30 CEST 2017``
| ``Are you sure (Y/N)? y``
| ``-------------------------``
| ``Revoked certificate "``\ **``OLD_SERIAL``**\ ``"``
| ``-------------------------``
| `` Serial Number: ``\ **``OLD_SERIAL``**
| `` Issuer: ``\ **``ISSUER``**
| `` Subject: ``\ **``SUBJECT``**
| `` Status: REVOKED``
| `` Not Before: Tue Oct 06 08:44:30 CEST 2015``
| `` Not After: Mon Sep 25 08:44:30 CEST 2017``
Retrieve the new CA agent certificate from the CA:
| ``# pki cert-show ``\ **``NEW_SERIAL``**\ `` --output /root/ca-agent.crt``
| ``-----------------``
| ``Certificate "``\ **``NEW_SERIAL``**\ ``"``
| ``-----------------``
| `` Serial Number: ``\ **``NEW_SERIAL``**
| `` Issuer: ``\ **``ISSUER``**
| `` Subject: ``\ **``SUBJECT``**
| `` Status: VALID``
| `` Not Before: Tue Oct 06 12:45:01 CEST 2015``
| `` Not After: Mon Sep 25 12:45:01 CEST 2017``
Note the issuer name and subject name in the output of this command.
Replace the old CA agent certificate in LDAP:
| ``# openssl x509 -in /root/ca-agent.crt -out /root/ca-agent.der -outform DER``
| ``# ldapmodify -H ``\ ```ldap://$HOSTNAME`` <ldap://$HOSTNAME>`__\ `` -D 'cn=Directory Manager' -W``
| ``Enter LDAP Password: ``
| ``dn: uid=ipara,ou=people,o=ipaca``
| ``changetype: modify``
| ``replace: userCertificate``
| ``userCertificate:< ``\ ```file:///root/ca-agent.der`` <file:///root/ca-agent.der>`__
| ``-``
| ``replace: description``
| ``description: 2;``\ **``NEW_SERIAL_DEC``**\ ``;``\ **``ISSUER``**\ ``;``\ **``SUBJECT``**
| ``dn: cn=ipaCert,cn=ca_renewal,cn=ipa,cn=etc,``\ **``BASE_DN``**
| ``changetype: modify``
| ``replace: userCertificate``
| ``userCertificate:< ``\ ```file:///root/ca-agent.der`` <file:///root/ca-agent.der>`__
``NEW_SERIAL_DEC`` is ``NEW_SERIAL`` converted from hexadecimal
to decimal. The second mod
(cn=ipaCert,cn=ca_renewal,cn=ipa,cn=etc,``BASE_DN``) may fail
with “No such object” error, which can be safely ignored.
Create a PKCS#12 file with the new CA agent private key and certificate:
| ``# certutil -d /root/tmpdb -A -n ipaCert -t ,, -a -i /root/ca-agent.crt``
| ``# pk12util -o /root/ca-agent.p12 -n ipaCert -d /root/tmpdb``
| ``Enter Password or Pin for "NSS Certificate DB":``
| ``Enter password for PKCS12 file: ``
| ``Re-enter password: ``
| ``pk12util: PKCS12 EXPORT SUCCESSFUL``
Replace the old CA agent certificate and private key in
/etc/httpd/alias with the new CA agent certificate and private key:
| ``# certutil -d /etc/httpd/alias -D -n ipaCert``
| ``# pk12util -i /root/ca-agent.p12 -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt``
| ``Enter password for PKCS12 file: ``
| ``pk12util: PKCS12 IMPORT SUCCESSFUL``
Restart httpd:
``# systemctl restart httpd``
Import the new CA agent certificate and private key on the remaining IPA servers:
Copy
/root/ca-agent.p12from the CA master IPA server to the current IPA server.Replace the old CA agent certificate and private key in
/etc/httpd/aliaswith the new CA agent certificate and private key:
# certutil -d /etc/httpd/alias -D -n ipaCert
| ``# pk12util -i /root/ca-agent.p12 -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt``
| ``Enter password for PKCS12 file: ``
| ``pk12util: PKCS12 IMPORT SUCCESSFUL``
Restart httpd:
``# systemctl restart httpd``
More Information#
For more information see