Red Hat CERTIFICATE SYSTEM 7.2 - RELEASE NOTES Release Note page 14

Release Notes
Bug Number Description
page can still be accessed. This page can be disabled by removing the preop.pin
parameter from the instance's CS.cfg file and restarting the instance.
58301 Using the administrative console to renew an SSL server certificate stored on a hard-
ware token automatically imports the server certificate into the Certificate System soft-
ware token rather than the hardware token.
58354 It is possible for a CA, DRM, OCSP, and TKS subsystem's certificates to be generated
by an external root CA. For a subordinate CA in that case, the new CA signing certific-
ate issued by the external CA must be pasted into the Requests and Certificates page;
this signing certificate is then used to generate the other certificates. For DRM, OCSP,
and TKS subsystems, the SSL server and client certificates and, if required, DRM
transport and storage certificates are generated by the external CA. It can take several
days, even weeks, to receive the certificates from the external root CA, meaning the the
configuration process is suspended at the Requests and Certificates panel in the con-
figuration wizard. When the certificates are received, they must be pasted into the Re-
quests and Certificates panel to complete the subsystem configuration. However, re-
opening the configuration wizard at the beginning of the process can corrupt the previ-
ous setup. To return directly to the Requests and Certificates panel in the configuration
wizard, open the configuration wizard URL with ?p=12 appended to the end. For ex-
ample:
http://server.example.com:9080/ca/admin/
console/config/wizard?p=12
58464 On Mozilla Firefox, when accessing a subsystem URL without specifying the desired
page, such as https://server.example.com:9443, it automatically redirects to
https://server.example.com:9443/ca/services. The redirect does not work
on Internet Explorer 6.0; when trying the URL ht-
tps://server.example.com:9443, Internet Explorer opens a blank page.
58518 When starting or stopping a CA, DRM, OCSP, or TKS on Solaris, the start and stop
script can kill the process before the process completes and exits. This does not occur
on a TPS subsystem on Solaris.
58524 Before reusing an HSM to install and configure a TPS subsystem, manually delete any
existing certificates from the HSM. All conflicting certificates (certificates with the same
nickname) have to be removed from the HSM before the TPS is configured. Otherwise,
the configuration process will still install the new certificates, but it is not certain which
certificate, old or new, will be used. Running certutil with the -D option to delete the
certificates does not work with the -f option to specify a password file.
58555 Safenet LunaSA hardware modules do not have binaries for 64-bit Red Hat Enterprise
Linux platforms. Trying to use LunaSA 32-bit libraries on 64-bit Red Hat Enterprise
Linux platforms, including Red Hat Enterprise Linux 4 (x86_64), will fail with the follow-
ing error:
ERROR: Failed to add module "lunasa". Probable cause: "/
usr/lunasa/lib/libCryptoki2.so:
cannot open shared object file: No such file or directory"
58577 Agent authentication to an ECC-enabled CA can fail in the browser with error -12271 if
an HSM has been added to the secmod.db database on the local machine. To work
around this situation, delete the secmod.db database which contains the HSM entry
14