pki-core-10.5.1-15.el7

The Public Key Infrastructure (PKI) Core contains fundamental packages required by Asianux Certificate System.

This update fixes the following bugs:

* Previously, if a user signed a Certificate Management over CMS (CMC) request using a self-signed profile, Certificate System issued a certificate. This bug has been fixed. As a result, users can now use a self-signed profile when authenticating using the Shared Token method. (BZ#1611245)

* This update removes the outdated reference to the NSS_USE_DECODED_CKA_EC_POINT environment variable for ECC certificates in the HttpClient command line usage. (BZ#1611250)

* Previously, if the issuer subjectDN attribute of the certificate authority (CA) signing certificate had a different encoding than the default on the host running Certificate System, comparing the issuer subjectDN failed. With this update, the server extracts the issuer subjectDN of the CA signing certificate for comparison. As a result, comparing the attribute succeeds. (BZ#1612880)

* When you set up an Identity Management (IdM) replica with certificate authority (CA), the pkispawn utility, provided by the pki-core package, reads the replication status from the nsds5replicaLastInitStatus attribute stored in LDAP. A previous update of Asianux Directory Server changed the status message from "0 Total update succeeded" to "Error (0) Total update succeeded". As a consequence, setting up an IdM replica with CA failed. The pkispawn utility has been updated to support both status messages. As a result, setting up an IdM replica with CA works as expected with both the previous and latest versions of Directory Server. (BZ#1614837)

* Previously, Certificate System did not log certain configuration actions in the audit log by default. As a consequence, auditors could not verify who changed the configuration. This update adds the CERT_PROFILE_APPROVAL, CONFIG_CRL_PROFILE, CONFIG_OCSP_PROFILE, CONFIG_ACL, and CONFIG_DRM,AUTHORITY_CONFIG events to the list of events enabled by default. As a result, Certificate System logs these events automatically without the need to manually add them to the configuration. (BZ#1614839)

* Previously, audit log signing in Certificate System only supported RSA keys. With this update, Certificate System also supports ECC keys for signing the audit log, and the AuditVerify utility can verify these signatures. (BZ#1615266)

Users of pki-core are advised to upgrade to these updated packages, which fix these bugs.