Project

General

Profile

Bug #66925

Update Private Key tooltips in new UI

Added by Dru Lavigne 15 days ago. Updated 1 day ago.

Status:
Ready for Testing
Priority:
No priority
Assignee:
Dennis Mullen
Category:
GUI (new)
Target version:
Seen in:
Severity:
Medium
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

When a certificate is imported in the system, we do not validate the key size. It should not be less then 1024.

Risk
We risk breaking importing certificates and CA's, and also creating them

Acceptance Criteria
A certificate and CA of valid lengths should be imported ( 1024/2048/4096 ). They should import as desired. Apart from that, we should try importing a certificate of less then 1024 length, if it imports, this should be marked as failed testing.
A certificate of length 512 can be created with following command

openssl req -x509 -newkey rsa:512 -keyout key.pem -out cert.pem -nodes -days 365 -subj '/CN=localhost'


Related issues

Related to FreeNAS - Feature #55986: Add support for ACME certs in new UIUnscreened
Copied from FreeNAS - Bug #62892: Disallow import or creation of certificates with key lengths less than 1024Ready for Testing

History

#1 Updated by Dru Lavigne 15 days ago

  • Copied from Bug #62892: Disallow import or creation of certificates with key lengths less than 1024 added

#2 Updated by Dru Lavigne 15 days ago

1. Ensure the new UI enforces this.
2. Ensure the tooltip mentions this.
3. Update the 2 Key Length entries in the Guide (one for CAs, one for Certificates).

#3 Updated by Erin Clark 8 days ago

  • Assignee changed from Erin Clark to Dennis Mullen

#4 Updated by Dennis Mullen 7 days ago

48342

Update: Looks like the work for this ticket is actually done already. The middleware update to screen keys for strength is in 11.2 stable and 11.3, though not in 11.2 RELEASE U1. And it works great on the CA Add page (see screenshot). BUT the Certificate Add page (in 11.3) is failing without an error message when I try to make an Import Cert, whether the credentials are right or wrong. I've been trying to find the cause of that. I feel like if that problem is found, the work in this ticket is already taken care of.

#5 Updated by Dennis Mullen 7 days ago

  • Status changed from Unscreened to In Progress

#6 Updated by Waqar Ahmed 6 days ago

So 11.3 Certificates is probably failing because the methods are jobs there and you have to wait for each job. There was a ticket for that when this change was introduced to Certificate Service in middlewared for new UI. As of the latest nightlies, certificate services calls aren't being treated as jobs in new UI from what I can see. So that should resolve that and perhaps we should wait for that change first ? Because we wouldn't be able to confirm this one until that is implemented in new UI

#7 Updated by Dennis Mullen 6 days ago

48459

This one is ready to go in the 11.2 internal build. Throws the right error message when the key is too small, works when it is right. As for 11.3, importing certs fails right now because of some needed upgrades as described in https://redmine.ixsystems.com/issues/55986

Once that's done, I think this error message about key strength will work for certificates in 11.3 too, just as it already does for CAs.

#8 Updated by Dennis Mullen 6 days ago

  • Related to Feature #55986: Add support for ACME certs in new UI added

#10 Updated by Erin Clark 5 days ago

  • Status changed from In Progress to Ready for Testing

#11 Updated by Dru Lavigne 5 days ago

  • Subject changed from Disallow import or creation of certificates with key lengths less then 1024 to Update Private Key tooltips in new UI
  • Needs Merging changed from Yes to No

Also available in: Atom PDF