[ol7_latest_archive] pki-ca-10.4.1-13.el7_4.noarch

Name:	pki-ca
Version:	10.4.1
Release:	13.el7_4
Architecture:	noarch
Group:	System Environment/Daemons
Size:	2359449
License:	GPLv2
RPM:	pki-ca-10.4.1-13.el7_4.noarch.rpm
Source RPM:	pki-core-10.4.1-13.el7_4.src.rpm
Build Date:	Tue Sep 05 2017
Build Host:	x86-ol7-builder-01.us.oracle.com
Vendor:	Oracle America
URL:	http://pki.fedoraproject.org/
Summary:	Certificate System - Certificate Authority
Description:	The Certificate Authority (CA) is a required PKI subsystem which issues, renews, revokes, and publishes certificates as well as compiling and publishing Certificate Revocation Lists (CRLs). The Certificate Authority can be configured as a self-signing Certificate Authority, where it is the root CA, or it can act as a subordinate CA, where it obtains its own signing certificate from a public CA. This package is one of the top-level java-based Tomcat PKI subsystems provided by the PKI Core used by the Certificate System. ================================== \|\| ABOUT "CERTIFICATE SYSTEM" \|\| ================================== Certificate System (CS) is an enterprise software system designed to manage enterprise Public Key Infrastructure (PKI) deployments. PKI Core contains ALL top-level java-based Tomcat PKI components: * pki-symkey * pki-base * pki-base-python2 (alias for pki-base) * pki-base-python3 * pki-base-java * pki-tools * pki-server * pki-ca * pki-kra * pki-ocsp * pki-tks * pki-tps * pki-javadoc which comprise the following corresponding PKI subsystems: * Certificate Authority (CA) * Key Recovery Authority (KRA) * Online Certificate Status Protocol (OCSP) Manager * Token Key Service (TKS) * Token Processing Service (TPS) Python clients need only install the pki-base package. This package contains the python REST client packages and the client upgrade framework. Java clients should install the pki-base-java package. This package contains the legacy and REST Java client packages. These clients should also consider installing the pki-tools package, which contain native and Java-based PKI tools and utilities. Certificate Server instances require the fundamental classes and modules in pki-base and pki-base-java, as well as the utilities in pki-tools. The main server classes are in pki-server, with subsystem specific Java classes and resources in pki-ca, pki-kra, pki-ocsp etc. Finally, if Certificate System is being deployed as an individual or set of standalone rather than embedded server(s)/service(s), it is strongly recommended (though not explicitly required) to include at least one PKI Theme package: * dogtag-pki-theme (Dogtag Certificate System deployments) * dogtag-pki-server-theme * redhat-pki-server-theme (Red Hat Certificate System deployments) * redhat-pki-server-theme * customized pki theme (Customized Certificate System deployments) * <customized>-pki-server-theme NOTE: As a convenience for standalone deployments, top-level meta packages may be provided which bind a particular theme to these certificate server packages.

Changelog (Show File list) (Show related packages)

Mon Aug 21 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-13

- Resolves: rhbz #1463350
- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1463350 - Access banner validation (edewata)
  [pki-core-server-access-banner-retrieval-validation.patch]

Wed Jul 19 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-12

- Resolves: rhbz #1472615,1472617,1469447,1463350,1469449,1472619,1464970,1469437,1469439,1469446
- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1472615 - CC: allow CA to process pre-signed CMC non-signing
  certificate requests (cfu)
  [PREVIOUS PATCH:  pki-core-beta.patch]
  [PREVIOUS PATCH:  pki-core-snapshot-4.patch]
- Bugzilla Bug #1472617 - CMC: cmc.popLinkWitnessRequired=false would cause
  error (cfu)
  [PREVIOUS PATCH:  pki-core-post-beta.patch]
- Bugzilla Bug #1469447 - CC: CMC: check HTTPS client authentication cert
  against CMC signer (cfu)
  [PREVIOUS PATCH:  pki-core-CMC-check-HTTPS-client-authentication-cert.patch]
- Bugzilla Bug #1463350 - Access banner validation (edewata)
  [pki-core-server-access-banner-validation.patch]
- Bugzilla Bug #1469449 - CC: allow CA to process pre-signed CMC renewal
  non-signing cert requests (cfu)
  [PREVIOUS PATCH:  pki-core-snapshot-1.patch]
  [pki-core-pre-signed-CMC-renewal-UniqueKeyConstraint.patch]
- Bugzilla Bug #1472619 - Platform Dependent Python Import (mharmsen)
  [pki-core-platform-dependent-python-import.patch]
- Bugzilla Bug #1464970 - CC: CMC: replace id-cmc-statusInfo with
  id-cmc-statusInfoV2 (cfu)
  [pki-core-CMC-id-cmc-statusInfoV2.patch]
- Bugzilla Bug #1469437 - subsystem-cert-update command lacks --cert option
  (dmoluguw)
  [pki-core-subsystem-cert-update-CLI-cert-option.patch]
- Bugzilla Bug #1469439 - Fix Key Changeover with HSM to support SCP03
  (jmagne)
  [pki-core-HSM-key-changeover-SCP03-support.patch]
- Bugzilla Bug #1469446 - CC: need CMC enrollment profiles for system
  certificates (cfu)
  [pki-core-system-cert-CMC-enroll-profile.patch]

Mon Jul 17 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-11

- Resolves: rhbz #1469432
- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1469432 - CMC plugin default change
- Resolves CVE-2017-7537
- Fixes BZ #1470948

Mon Jun 19 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-10

- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1458043 - Key recovery on token fails with
  invalid public key error on KRA (alee)
- Bugzilla Bug #1460764 - CC: CMC: check HTTPS client
  authentication cert against CMC signer (cfu)
- Bugzilla Bug #1461533 - Unable to find keys in the p12 file after
  deleting the any of the subsystem certs from it (ftweedal)

Mon Jun 12 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-9

- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret)
  using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne)
- Bugzilla Bug #1419756 - CC: allow CA to process pre-signed CMC
  non-signing certificate requests (cfu)
- Bugzilla Bug #1419777 - CC: allow CA to process pre-signed CMC
   revocation non-signing cert requests (cfu)
- Bugzilla Bug #1458047 - change the way aes clients refer to
  aes keysets (alee)
- Bugzilla Bug #1458055 - dont reuse IVs in the CMC code
  (alee)
- Bugzilla Bug #1460028 - In keywrap mode, key recovery on
  KRA with HSM causes KRA to crash (ftweedal)

Mon Jun 05 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-8

- Require "selinux-policy-targeted >= 3.13.1-159" as a runtime requirement
- Require "tomcatjss >= 7.2.1-4" as a build and runtime requirement
- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1400149 - pkispawn fails to create CA subsystem on FIPS
  enabled system (edewata)
- Bugzilla Bug #1447144 - CA brought down during separate KRA instance
  creation (edewata)
- Bugzilla Bug #1447762 - pkispawn fails occasionally with this failure
  ACCESS_SESSION_ESTABLISH_FAILURE (edewata)
- Bugzilla Bug #1454450 - SubCA installation failure with 2 step
  installation in fips enabled mode (edewata)
- Bugzilla Bug #1456597 - Certificate import using pki client-cert-import
  is asking for password when already provided (edewata)
- Bugzilla Bug #1456940 - Build failure due to Pylint issues (cheimes)
- Bugzilla Bug #1458043 - Key recovery using externalReg fails
  with java null pointer exception on KRA (alee)
- Bugzilla Bug #1458379 - Upgrade script for keepAliveTimeout parameter
  (edewata)
- Bugzilla Bug #1458429 - client-cert-import --ca-cert should
  import CA cert with trust bits "CT,C,C" (edewata)
- ##########################################################################
- RHCS 9.2:
- ##########################################################################
- Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne)

Tue May 30 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-7

- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1393633 - Creating symmetric key (sharedSecret)
  using tkstool is failing when RHEL 7.3 is in FIPS mode. (jmagne)
- Bugzilla Bug #1445519 - CA Server installation with HSM fails
  (jmagne)
- Bugzilla Bug #1452617 - Unable to create IPA Sub CA
  (ftweedal)
- Bugzilla Bug #1454471 - Enabling all subsystems on startup
  (edewata)
- Bugzilla Bug #1455617 - Key recovery on token fails because
  key record is not marked encrypted (alee)

Tue May 23 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-6

- Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error
  (mharmsen)

Mon May 22 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-5

- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1419761 - CC: allow CA to process pre-signed CMC renewal
  non-signing cert requests (cfu)
- Bugzilla Bug #1447080 - CC: CMC: allow enrollment key signed (self-signed)
  CMC with identity proof (cfu)
- Bugzilla Bug #1447144 - CA brought down during separate KRA instance
  creation (mharmsen)
- Bugzilla Bug #1448903 - exception Invalid module "--ignore-banner" when
  defined in ~/.dogtag/pki.conf and run pki pkcs12-import --help (edewata)
- Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails (jmagne)
- Bugzilla Bug #1452123 - CA CS.cfg shows default port (mharmsen)
- Bugzilla Bug #1452250 - Inconsistent CERT_REQUEST_PROCESSED event in
  ConnectorServlet. (edewata)
- Bugzilla Bug #1452340 - Ensuring common audit log correctness (edewata)
- Bugzilla Bug #1452344 - Adding serial number into CERT_REQUEST_PROCESSED
  audit event. (edewata)

Tue May 09 2017 Dogtag Team <pki-devel@redhat.com> 10.4.1-4

- ##########################################################################
- RHEL 7.4:
- ##########################################################################
- Bugzilla Bug #1386303 - cannot extract generated private key from KRA when
  HSM is used. (alee)
- Bugzilla Bug #1446364 - pkispawn returns before tomcat is ready (cheimes)
- Bugzilla Bug #1447145 - CMC: cmc.popLinkWitnessRequired=false would cause
  error (cfu)
- Bugzilla Bug #1448203 - CAInfoService: retrieve KRA-related values from
  the KRA (ftweedal)
- Bugzilla Bug #1448204 - pkispawn of clone install fails with
  InvalidBERException (ftweedal)
- Bugzilla Bug #1448521 - kra unable to extract symmetric keys generated on
  thales hsm (alee)
- Updated "jss" build and runtime requirements (mharmsen)
- ##########################################################################
- RHCS 9.2:
- ##########################################################################
- Bugzilla Bug #1274086 - [RFE] Add SCP03 support (RHCS) (jmagne)