CVE-2015-5284#
CVE-2015-5284#
Summary#
The ipa-kra-install
command, which configures
KRA for IPA, puts the CA agent certificate and
private key to a world readable file,
/etc/httpd/alias/kra-agent.pem
. This allows users on an IPA server
where ipa-kra-install was run to issue arbitrary certificates with the
IPA CA.
Affected Versions#
Impact#
Important
Fixed in Versions#
Manual Instructions#
Uninstall KRA and remove /etc/httpd/alias/kra-agent.pem
on all IPA
servers:
# ipa-kra-install --uninstall
# rm -f /etc/httpd/alias/kra-agent.pem
Create new CA agent certificate and private key on the CA master IPA server:
Use the following command to identify which IPA server is the CA master:
$ ldapsearch -H ``\ ```ldap://$HOSTNAME
<ldap://$HOSTNAME>`__`` -D ‘cn=Directory Manager’ -W -b cn=masters,cn=ipa,cn=etc,BASE_DN ‘(ipaConfigString=caRenewalMaster)’ dn``
BASE_DN
is the LDAP base DN configured for your IPA domain, you
can find its value in /etc/ipa/default.conf
in the [global]
section under the basedn
key.
Find the subject name and serial number of the CA agent certificate:
# pki cert-find --name 'IPA RA' --status VALID
---------------
1 entries found
---------------
Serial Number: OLD_SERIAL
Subject DN: SUBJECT
Status: VALID
Type: X.509 version 3
Key Algorithm: PKCS #1 RSA with 2048-bit key
Not Valid Before: Tue Oct 06 12:45:01 CEST 2015
Not Valid After: Mon Sep 25 12:45:01 CEST 2017
Issued On: Tue Oct 06 13:22:14 CEST 2015
Issued By: ipara
----------------------------
Number of entries returned 1
----------------------------
Note the subject name and serial number in the output of this command.
Create new temporary NSS database:
# mkdir /root/tmpdb
# certutil -d /root/tmpdb -N
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
Create new CA agent private key and certificate request:
# certutil -d /root/tmpdb -R -k rsa -g 2048 -s 'SUBJECT' -o /root/ca-agent.csr
Enter Password or Pin for "NSS Certificate DB":
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
Request new CA agent certificate from the CA:
# curl "http://$HOSTNAME:8080/ca/ee/ca/profileSubmit" --data-urlencode profileId=caServerCert --data-urlencode cert_request_type=pkcs10 --data-urlencode requestor_name="IPA Installer" --data-urlencode cert_request="$(base64 -w 0 /root/ca-agent.csr)" --data-urlencode xmlOutput=true
2Request Deferred - {0} REQUEST_ID
Note the request id in the output of this command, inside the
<RequestId>
tag.
Issue the new CA agent certificate:
# pki -d /etc/httpd/alias -C /etc/httpd/alias/pwdfile.txt -n ipaCert cert-request-review REQUEST_ID --action approve
-------------------------------
Approved certificate request REQUEST_ID
-------------------------------
Request ID: REQUEST_ID
Type: enrollment
Request Status: complete
Operation Result: success
Certificate ID: NEW_SERIAL
Note the serial number in the output of this command (shown as “Certificate ID”).
Revoke the old CA agent certificate:
# pki -d /etc/httpd/alias -C /etc/httpd/alias/pwdfile.txt -n ipaCert cert-revoke OLD_SERIAL --reason Key_Compromise
Revoking certificate:
Serial Number: OLD_SERIAL
Issuer: ISSUER
Subject: SUBJECT
Status: VALID
Not Before: Tue Oct 06 08:44:30 CEST 2015
Not After: Mon Sep 25 08:44:30 CEST 2017
Are you sure (Y/N)? y
-------------------------
Revoked certificate "OLD_SERIAL"
-------------------------
Serial Number: OLD_SERIAL
Issuer: ISSUER
Subject: SUBJECT
Status: REVOKED
Not Before: Tue Oct 06 08:44:30 CEST 2015
Not After: Mon Sep 25 08:44:30 CEST 2017
Retrieve the new CA agent certificate from the CA:
# pki cert-show NEW_SERIAL --output /root/ca-agent.crt
-----------------
Certificate "NEW_SERIAL"
-----------------
Serial Number: NEW_SERIAL
Issuer: ISSUER
Subject: SUBJECT
Status: VALID
Not Before: Tue Oct 06 12:45:01 CEST 2015
Not After: Mon Sep 25 12:45:01 CEST 2017
Note the issuer name and subject name in the output of this command.
Replace the old CA agent certificate in LDAP:
# openssl x509 -in /root/ca-agent.crt -out /root/ca-agent.der -outform DER
# ldapmodify -H ``\ ```ldap://$HOSTNAME`` <ldap://$HOSTNAME>`__\ `` -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
replace: userCertificate
| ``userCertificate:< ``\ ```file:///root/ca-agent.der`` <file:///root/ca-agent.der>`__
-
replace: description
description: 2; NEW_SERIAL_DEC ; ISSUER ; SUBJECT
dn: cn=ipaCert,cn=ca_renewal,cn=ipa,cn=etc, BASE_DN
changetype: modify
replace: userCertificate
| ``userCertificate:< ``\ ```file:///root/ca-agent.der`` <file:///root/ca-agent.der>`__
NEW_SERIAL_DEC
is NEW_SERIAL
converted from hexadecimal
to decimal. The second mod
(cn=ipaCert,cn=ca_renewal,cn=ipa,cn=etc,BASE_DN
) may fail
with “No such object” error, which can be safely ignored.
Create a PKCS#12 file with the new CA agent private key and certificate:
# certutil -d /root/tmpdb -A -n ipaCert -t ,, -a -i /root/ca-agent.crt
# pk12util -o /root/ca-agent.p12 -n ipaCert -d /root/tmpdb
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
Replace the old CA agent certificate and private key in
/etc/httpd/alias
with the new CA agent certificate and private key:
# certutil -d /etc/httpd/alias -D -n ipaCert
# pk12util -i /root/ca-agent.p12 -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
Restart httpd:
``# systemctl restart httpd``
Import the new CA agent certificate and private key on the remaining IPA servers:
Copy
/root/ca-agent.p12
from the CA master IPA server to the current IPA server.Replace the old CA agent certificate and private key in
/etc/httpd/alias
with the new CA agent certificate and private key:
# certutil -d /etc/httpd/alias -D -n ipaCert
# pk12util -i /root/ca-agent.p12 -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
Restart httpd:
``# systemctl restart httpd``
More Information#
For more information see