katello-cert-check utility failing on certificate does not allow for the Digital Signature key usage.

Solution Verified - Updated

Environment

  • Red Hat Satellite 6

Issue

  • What is the process to create a CSR file according to satellite 6?
  • Katello cert check failing on Digital Signature key usage.
  • How do I generate new CSR with key usage? 
Checking Key Usage extension on certificate for Key Encipherment
[FAIL]

Resolution

  • Add keyUsage digitalSignature 
# touch server_v3.ext 

# edit server_v3.ext   <--- Add below lines
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
prompt = no

[req_distinguished_name]
C =   Country Name (2 letter code)
ST = State or Province Name (full name)
L =   Locality Name (eg, city)
O =  Organization Name (eg, company)
OU = The division of your organization handling the certificate.
CN = The fully qualified domain name (FQDN) of your server.

[v3_req]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection

[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType                      = client, server, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
  • Run the below command to create CSR file using above KeyUsage 
# openssl req -new -nodes -out `hostname -f`.csr -keyout `hostname -f`.key -config server_v3.ext
  • Once done send the CSR file to your CA for signing server cert.

For more KB articles/solutions related to Red Hat Satellite 6.x SSL Certificates Issues, please refer to the Consolidated Troubleshooting Article for Red Hat Satellite 6.x SSL Certificates Issues

Root Cause

  • keyUsage was missing in the certificates.

Diagnostic Steps

  • Check satellite server certificate 
# openssl x509 -text -in /root/sat_certs/satellite.crt -noout | grep -A1 "Key Usage"
  • Check satellite CSR certificate 
# openssl req -text -in /root/sat_certs/satellite.csr -noout | grep -A1 "Key Usage"
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.