000014793 - RCM auto enrollment proxy is crashing the admin web server

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014793
Applies ToRSA Certificate Manager 6.8
Microsoft Windows Server 2003 SP2
Auto Enrollment Proxy (AEP)
IssueRCM auto enrollment proxy is crashing the admin web server

Can cause Apache.exe to crash on command:

1. Issue a cert based on the Domain Controller version 1 template to a DC
via the AEP.

2. Open the certificate store for the local machine on the domain
controller, right click on the certificate and select ?Renew with same key?.
Click ok, accept defaults and attempt to finish.

3. Apache.exe crashes on the CA.

4. MMC hangs on the CA.

5. Buffer overrun on AEP.

***********************************

Crash occur only on renewal, tests performed on RCM 6.8 build 516.

1. Renew of DC certificate with same key: Rhcproxy.exe and apache.exe crashes

2. Renew of DC certificate with new key: Rhcproxy.exe and apache.exe crashes

3. Request of DC certificate with same key: success, new cert issued.

4. Request of DC certificate with new key: success, new cert issued.

5. Renew of EE certificate with same key: Rhcproxy.exe crashes; apache.exe does not crash

6. Renew of EE certificate with new key: Rhcproxy.exe crashes; apache.exe does not crash


For non-DC certs

New Key: Fails. Rhcproxy.exe crashes; apache.exe does not crash.

Same Key: Fails. Same as above.

In a nutshell: A non DC cert was also unable to renew, but the crashing symptoms were different.

Cause

RFC 2797 refers that, renewal with same key and renewal with new key (re-key) are same as enrollment messages and it doesn't talks about the renewal request structure for the same key and new key.

The following are the CMC Renewal Certificate Request format, which is described in Microsoft msdn.

The renewal certificate request (request type: pkcs#7) format like this:
signed Data (1.2.840.113549.1.7.2)
PKCS 7 Data (1.2.840.113549.1.7.1)
? PKCS10 Certificate Request
? x509 renewal certificate (1.3.6.1.4.1.311.13.1)
? singer Info.

The renewal certificate request (request type: PKCS#7/CMC) format like this:
signed Data (1.2.840.113549.1.7.2)
CMC Data (1.3.6.1.5.5.7.12.2)
? CMS Certificate Request
? PKCS10 Certificate Request
? x509 renewal certificate (1.3.6.1.4.1.311.13.1)
? singer Info.

We have referenced the below links:
http://msdn.microsoft.com/en-us/library/cc249734(PROT.10).aspx
http://msdn.microsoft.com/en-us/library/aa379083(VS.85).aspx

As per our initial study, v1 template renewal request looks like pkcs#7 request format and v2 template renewal request looks like PKCS#7/CMS request format.  Since formats are different, parsing needs to be done separately for v1 and v2 certificate templates and needs to parse the x509 renewal certificate.

User needs to select the Microsoft certificate templates for issuing the certificate through AEP. Current implementations of AEP support all v1 and v2 Microsoft certificate templates for issuing the certificates.

AEP renewal has the option to renew with same key (new certificate with same key) or renew with new key (re: keying i.e., new certificates with new keys)

Current RCM implementation supports only renewal of certificate with same key. Renewal process gets the certificate and calculates the m5 of the certificate and fetches the certificate object from database. Renewal just copies the public key from old certificate.

RCM has problem when renewal with new key or with new signer keys (CA).

Resolution
Contact RSA Customer Support and request RCM 6.8 build 517 or higher.
With RCM 68 Build 517 RCM able to renew AEP certificates, no crash was observed with both V1 and V2 templates.   
Legacy Article IDa48384

Attachments

    Outcomes