|Applies To||RSA Certificate Manager 6.8|
Microsoft Windows Server 2003 SP2
Auto Enrollment Proxy (AEP)
|Issue||RCM auto enrollment proxy is crashing the admin web server|
Can cause Apache.exe to crash on command:
1. Issue a cert based on the Domain Controller version 1 template to a DC
2. Open the certificate store for the local machine on the domain
3. Apache.exe crashes on the CA.
4. MMC hangs on the CA.
5. Buffer overrun on AEP.
Crash occur only on renewal, tests performed on RCM 6.8 build 516.
1. Renew of DC certificate with same key: Rhcproxy.exe and apache.exe crashes
2. Renew of DC certificate with new key: Rhcproxy.exe and apache.exe crashes
3. Request of DC certificate with same key: success, new cert issued.
4. Request of DC certificate with new key: success, new cert issued.
5. Renew of EE certificate with same key: Rhcproxy.exe crashes; apache.exe does not crash
6. Renew of EE certificate with new key: Rhcproxy.exe crashes; apache.exe does not crash
For non-DC certs
New Key: Fails. Rhcproxy.exe crashes; apache.exe does not crash.
Same Key: Fails. Same as above.
In a nutshell: A non DC cert was also unable to renew, but the crashing symptoms were different.
RFC 2797 refers that, renewal with same key and renewal with new key (re-key) are same as enrollment messages and it doesn't talks about the renewal request structure for the same key and new key.
The following are the CMC Renewal Certificate Request format, which is described in Microsoft msdn.
The renewal certificate request (request type: pkcs#7) format like this:
The renewal certificate request (request type: PKCS#7/CMC) format like this:
We have referenced the below links:
As per our initial study, v1 template renewal request looks like pkcs#7 request format and v2 template renewal request looks like PKCS#7/CMS request format. Since formats are different, parsing needs to be done separately for v1 and v2 certificate templates and needs to parse the x509 renewal certificate.
User needs to select the Microsoft certificate templates for issuing the certificate through AEP. Current implementations of AEP support all v1 and v2 Microsoft certificate templates for issuing the certificates.
AEP renewal has the option to renew with same key (new certificate with same key) or renew with new key (re: keying i.e., new certificates with new keys)
Current RCM implementation supports only renewal of certificate with same key. Renewal process gets the certificate and calculates the m5 of the certificate and fetches the certificate object from database. Renewal just copies the public key from old certificate.
Contact RSA Customer Support and request RCM 6.8 build 517 or higher.
With RCM 68 Build 517 RCM able to renew AEP certificates, no crash was observed with both V1 and V2 templates.
|Legacy Article ID||a48384|