diff --git a/SOURCES/0020-If-stderr-is-not-a-tty-log-to-syslog-so-the-helpers-.patch b/SOURCES/0020-If-stderr-is-not-a-tty-log-to-syslog-so-the-helpers-.patch
new file mode 100644
index 0000000..593d4fb
--- /dev/null
+++ b/SOURCES/0020-If-stderr-is-not-a-tty-log-to-syslog-so-the-helpers-.patch
@@ -0,0 +1,104 @@
+From 3364f76f5984ff4cbc8e7a1a455cedfa228adc4b Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 2 Apr 2018 13:26:39 -0400
+Subject: [PATCH 20/25] If stderr is not a tty log to syslog so the helpers can
+ log
+
+All the helpers were configured to use the log method cm_log_stderr
+which when exececuted as a helper from the certmonger daemon would
+log nowhere.
+
+If stderr is detected as a tty (e.g. the helper is run directly on
+the cli) then logging will go there. Otherwise it will log to
+syslog (honoring the log level).
+---
+ src/certmaster.c | 5 ++++-
+ src/dogtag.c | 5 ++++-
+ src/ipa.c | 5 ++++-
+ src/local.c | 5 ++++-
+ src/scep.c | 5 ++++-
+ 5 files changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/src/certmaster.c b/src/certmaster.c
+index 64662fa..dc68ecd 100644
+--- a/src/certmaster.c
++++ b/src/certmaster.c
+@@ -86,7 +86,10 @@ main(int argc, const char **argv)
+ bindtextdomain(PACKAGE, MYLOCALEDIR);
+ #endif
+
+- cm_log_set_method(cm_log_stderr);
++ if (isatty(STDERR_FILENO))
++ cm_log_set_method(cm_log_stderr);
++ else
++ cm_log_set_method(cm_log_syslog);
+ pctx = poptGetContext(argv[0], argc, argv, popts, 0);
+ if (pctx == NULL) {
+ return CM_SUBMIT_STATUS_UNCONFIGURED;
+diff --git a/src/dogtag.c b/src/dogtag.c
+index 0247cf2..3780a2d 100644
+--- a/src/dogtag.c
++++ b/src/dogtag.c
+@@ -296,7 +296,10 @@ main(int argc, const char **argv)
+ }
+
+ umask(S_IRWXG | S_IRWXO);
+- cm_log_set_method(cm_log_stderr);
++ if (isatty(STDERR_FILENO))
++ cm_log_set_method(cm_log_stderr);
++ else
++ cm_log_set_method(cm_log_syslog);
+ cm_log_set_level(verbose);
+
+ nctx = NSS_InitContext(CM_DEFAULT_CERT_STORAGE_LOCATION,
+diff --git a/src/ipa.c b/src/ipa.c
+index 13ea4ca..1279d1c 100644
+--- a/src/ipa.c
++++ b/src/ipa.c
+@@ -671,7 +671,10 @@ main(int argc, const char **argv)
+ }
+
+ umask(S_IRWXG | S_IRWXO);
+- cm_log_set_method(cm_log_stderr);
++ if (isatty(STDERR_FILENO))
++ cm_log_set_method(cm_log_stderr);
++ else
++ cm_log_set_method(cm_log_syslog);
+ cm_log_set_level(verbose);
+
+ /* Start backfilling defaults, both hard-coded and from the IPA
+diff --git a/src/local.c b/src/local.c
+index 74aee63..004add3 100644
+--- a/src/local.c
++++ b/src/local.c
+@@ -484,7 +484,10 @@ main(int argc, const char **argv)
+
+ umask(S_IRWXG | S_IRWXO);
+
+- cm_log_set_method(cm_log_stderr);
++ if (isatty(STDERR_FILENO))
++ cm_log_set_method(cm_log_stderr);
++ else
++ cm_log_set_method(cm_log_syslog);
+ cm_log_set_level(verbose);
+
+ if (localdir == NULL) {
+diff --git a/src/scep.c b/src/scep.c
+index 11f9ae3..0dbdcd7 100644
+--- a/src/scep.c
++++ b/src/scep.c
+@@ -332,7 +332,10 @@ main(int argc, const char **argv)
+ }
+
+ umask(S_IRWXG | S_IRWXO);
+- cm_log_set_method(cm_log_stderr);
++ if (isatty(STDERR_FILENO))
++ cm_log_set_method(cm_log_stderr);
++ else
++ cm_log_set_method(cm_log_syslog);
+ cm_log_set_level(verbose);
+
+ ctx = talloc_new(NULL);
+--
+1.8.3.1
+
diff --git a/SOURCES/0021-On-PKCS-7-verify-failures-log-the-PKCS-7-file-fix-va.patch b/SOURCES/0021-On-PKCS-7-verify-failures-log-the-PKCS-7-file-fix-va.patch
new file mode 100644
index 0000000..b1ba4b0
--- /dev/null
+++ b/SOURCES/0021-On-PKCS-7-verify-failures-log-the-PKCS-7-file-fix-va.patch
@@ -0,0 +1,42 @@
+From 6627c9d346b887016afa92664f690a0310d4ce00 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 2 Apr 2018 13:31:32 -0400
+Subject: [PATCH 21/25] On PKCS#7 verify failures log the PKCS#7 file, fix
+ variable used
+
+results was being used in place of results2.
+
+In practice it would be the result of GetCACaps which means it would
+log _something_, just not the failed PKCS#7 file.
+---
+ src/scep.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/scep.c b/src/scep.c
+index 0dbdcd7..5dd362d 100644
+--- a/src/scep.c
++++ b/src/scep.c
+@@ -920,15 +920,18 @@ main(int argc, const char **argv)
+ if (i != 0) {
+ printf(_("Error: failed to verify signature on "
+ "server response.\n"));
++ cm_log(1, "Error: failed to verify signature on "
++ "server response.\n");
+ while ((error = ERR_get_error()) != 0) {
+ memset(buf, '\0', sizeof(buf));
+ ERR_error_string_n(error, buf, sizeof(buf));
+ cm_log(1, "%s\n", buf);
+ }
+- s = cm_store_base64_from_bin(ctx, (unsigned char *) results,
+- results_length);
++ s = cm_store_base64_from_bin(ctx, (unsigned char *) results2,
++ results_length2);
+ s = cm_submit_u_pem_from_base64("PKCS7", 0, s);
+ fprintf(stderr, "%s", s);
++ cm_log(1, "%s", s);
+ free(s);
+ return CM_SUBMIT_STATUS_UNREACHABLE;
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/0022-Allow-configuration-of-client-SCEP-algorithms.patch b/SOURCES/0022-Allow-configuration-of-client-SCEP-algorithms.patch
new file mode 100644
index 0000000..af0d4bd
--- /dev/null
+++ b/SOURCES/0022-Allow-configuration-of-client-SCEP-algorithms.patch
@@ -0,0 +1,561 @@
+From 3523ad7b8b2349ed4ee301b992797902b7288028 Mon Sep 17 00:00:00 2001
+From: Trevor Vaughan <tvaughan@onyxpoint.com>
+Date: Fri, 23 Feb 2018 16:11:35 -0500
+Subject: [PATCH 22/25] Allow configuration of client SCEP algorithms
+
+* Allow users to set `scep_cipher` and `scep_digest` in their CA
+configuration. These settings are authoritative and will override
+anything from the server. This was added to support connections to
+systems, such as Dogtag, that do not provide a CA capabilities string
+and, therefore, are prone to causing incorrect ciphers to be used on the
+client side.
+
+* In accordance with the latest SCEP Draft RFC, the default cipher has
+been changed to AES-256 and the default digest has been changed to
+SHA-256. These were chosen as reasonable defaults for most users and
+systems.
+
+* To ease the determination of which configuration file controls what
+CA, the output of `getcert list-cas -v` was updated to print a
+`config-path` entry which will list the specific configuration
+associated with a given CA.
+
+Closes #89
+---
+ src/getcert.c | 6 ++
+ src/prefs.h | 5 ++
+ src/scepgen-o.c | 182 ++++++++++++++++++++++++++++++++++++++++++------------
+ src/store-files.c | 22 +++++++
+ src/store-int.h | 4 ++
+ src/tdbus.h | 2 +
+ src/tdbush.c | 149 +++++++++++++++++++++++++++++++++++++++++++-
+ 7 files changed, 331 insertions(+), 39 deletions(-)
+
+diff --git a/src/getcert.c b/src/getcert.c
+index 35fd0d6..724d125 100644
+--- a/src/getcert.c
++++ b/src/getcert.c
+@@ -4157,6 +4157,12 @@ list_cas(const char *argv0, int argc, const char **argv)
+ if ((s != NULL) && (strlen(s) > 0)) {
+ printf(_("\tpost-save command: %s\n"), s);
+ }
++ if (verbose > 0) {
++ printf(_("\tconfig-path: %s\n"),
++ query_rep_s(bus, cas[i], CM_DBUS_CA_INTERFACE,
++ "get_config_file_path",
++ verbose, globals.tctx));
++ }
+ }
+ return 0;
+ }
+diff --git a/src/prefs.h b/src/prefs.h
+index 231aea7..349ec64 100644
+--- a/src/prefs.h
++++ b/src/prefs.h
+@@ -20,9 +20,12 @@
+
+ enum cm_prefs_cipher {
+ cm_prefs_aes128,
++ cm_prefs_aes192,
+ cm_prefs_aes256,
+ cm_prefs_des3,
+ cm_prefs_des,
++ /* This is for the selection logic */
++ cm_prefs_nocipher,
+ };
+
+ enum cm_prefs_digest {
+@@ -31,6 +34,8 @@ enum cm_prefs_digest {
+ cm_prefs_sha512,
+ cm_prefs_sha1,
+ cm_prefs_md5,
++ /* This is for the selection logic */
++ cm_prefs_nodigest,
+ };
+
+ enum cm_notification_method;
+diff --git a/src/scepgen-o.c b/src/scepgen-o.c
+index d11e3de..07c2b8b 100644
+--- a/src/scepgen-o.c
++++ b/src/scepgen-o.c
+@@ -433,49 +433,155 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
+ free(pem);
+ _exit(CM_SUB_STATUS_INTERNAL_ERROR);
+ }
+- cipher = cm_prefs_des;
+- for (i = 0;
+- (ca->cm_ca_capabilities != NULL) &&
+- (ca->cm_ca_capabilities[i] != NULL);
+- i++) {
+- capability = ca->cm_ca_capabilities[i];
+- if (strcmp(capability, "DES3") == 0) {
+- cm_log(1, "Server supports DES3, using that.\n");
++
++ char* scep_cipher = ca->cm_ca_scep_cipher;
++ if (scep_cipher != NULL) {
++ /* Force the cipher to whatever is in the configuration */
++ if (strcmp(scep_cipher, "AES256") == 0) {
++ cipher = cm_prefs_aes256;
++ }
++ else if (strcmp(scep_cipher, "AES192") == 0) {
++ cipher = cm_prefs_aes192;
++ }
++ else if (strcmp(scep_cipher, "AES128") == 0) {
++ cipher = cm_prefs_aes128;
++ }
++ else if (strcmp(scep_cipher, "DES3") == 0) {
+ cipher = cm_prefs_des3;
+- break;
+- }
+- }
+- if (cipher == cm_prefs_des) {
+- cm_log(1, "Server does not support DES3, using DES.\n");
+- }
+- pref_digest = cm_prefs_preferred_digest();
+- digest = cm_prefs_md5;
+- for (i = 0;
+- (ca->cm_ca_capabilities != NULL) &&
+- (ca->cm_ca_capabilities[i] != NULL);
+- i++) {
+- capability = ca->cm_ca_capabilities[i];
+- if ((pref_digest == cm_prefs_sha1) &&
+- (strcmp(capability, "SHA-1") == 0)) {
+- cm_log(1, "Server supports SHA-1, using that.\n");
+- digest = cm_prefs_sha1;
+- break;
+ }
+- if ((pref_digest == cm_prefs_sha256) &&
+- (strcmp(capability, "SHA-256") == 0)) {
+- cm_log(1, "Server supports SHA-256, using that.\n");
+- digest = cm_prefs_sha256;
+- break;
++ else if (strcmp(scep_cipher, "DES") == 0) {
++ cipher = cm_prefs_des;
+ }
+- if ((pref_digest == cm_prefs_sha512) &&
+- (strcmp(capability, "SHA-512") == 0)) {
+- cm_log(1, "Server supports SHA-512, using that.\n");
+- digest = cm_prefs_sha512;
+- break;
++ else {
++ cm_log(1, "Option 'scep_cipher' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_cipher);
++ _exit(1);
++ }
++
++ cm_log(1, "SCEP cipher authoritatively set to: '%s'\n", scep_cipher);
++ }
++ else {
++ cipher = cm_prefs_nocipher;
++ for (i = 0;
++ (ca->cm_ca_capabilities != NULL) &&
++ (ca->cm_ca_capabilities[i] != NULL);
++ i++) {
++ capability = ca->cm_ca_capabilities[i];
++ if ((strcmp(capability, "AES-256") == 0) ||
++ (strcmp(capability, "AES256") == 0)) {
++ cm_log(1, "Server supports AES256, using that.\n");
++ cipher = cm_prefs_aes256;
++ break;
++ }
++ if ((strcmp(capability, "AES-192") == 0) ||
++ (strcmp(capability, "AES192") == 0)) {
++ cm_log(1, "Server supports AES192, using that.\n");
++ cipher = cm_prefs_aes192;
++ break;
++ }
++ if ((strcmp(capability, "AES-128") == 0) ||
++ (strcmp(capability, "AES128") == 0)) {
++ cm_log(1, "Server supports AES128, using that.\n");
++ cipher = cm_prefs_aes128;
++ break;
++ }
++ if (strcmp(capability, "AES") == 0) {
++ cm_log(1, "Server supports AES, using AES256.\n");
++ cipher = cm_prefs_aes256;
++ break;
++ }
++ if (strcmp(capability, "DES3") == 0) {
++ cm_log(1, "Server supports DES3, using that.\n");
++ cipher = cm_prefs_des3;
++ break;
++ }
++ /* This remains for backward compatibility */
++ if (strcmp(capability, "DES") == 0) {
++ cm_log(1, "Server supports DES, using that.\n");
++ cipher = cm_prefs_des;
++ break;
++ }
++ }
++ if (cipher == cm_prefs_nocipher) {
++ /* Per the latest Draft RFC */
++ cm_log(1, "Could not determine supported CA capabilities, using AES256.\n");
++ cipher = cm_prefs_aes256;
+ }
+ }
+- if (digest == cm_prefs_md5) {
+- cm_log(1, "Server does not support better digests, using MD5.\n");
++
++ char* scep_digest = ca->cm_ca_scep_digest;
++ if (scep_digest != NULL) {
++ /* Force the digest to whatever is in the configuration */
++ if (strcmp(scep_digest, "SHA512") == 0) {
++ digest = cm_prefs_sha512;
++ }
++ else if (strcmp(scep_digest, "SHA384") == 0) {
++ digest = cm_prefs_sha384;
++ }
++ else if (strcmp(scep_digest, "SHA256") == 0) {
++ digest = cm_prefs_sha256;
++ }
++ else if (strcmp(scep_digest, "SHA1") == 0) {
++ digest = cm_prefs_sha1;
++ }
++ else if (strcmp(scep_digest, "MD5") == 0) {
++ digest = cm_prefs_md5;
++ }
++ else {
++ cm_log(1, "Option 'scep_digest' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_digest);
++ _exit(1);
++ }
++
++ cm_log(1, "SCEP digest authoritatively set to: '%s'\n", scep_digest);
++ }
++ else {
++ pref_digest = cm_prefs_preferred_digest();
++ digest = cm_prefs_nodigest;
++ for (i = 0;
++ (ca->cm_ca_capabilities != NULL) &&
++ (ca->cm_ca_capabilities[i] != NULL);
++ i++) {
++ capability = ca->cm_ca_capabilities[i];
++ if ((pref_digest == cm_prefs_sha512) &&
++ ((strcmp(capability, "SHA-512") == 0) ||
++ (strcmp(capability, "SHA512") == 0))) {
++ cm_log(1, "Server supports SHA-512, using that.\n");
++ digest = cm_prefs_sha512;
++ break;
++ }
++ if ((pref_digest == cm_prefs_sha384) &&
++ ((strcmp(capability, "SHA-384") == 0) ||
++ (strcmp(capability, "SHA384") == 0))) {
++ cm_log(1, "Server supports SHA-384, using that.\n");
++ digest = cm_prefs_sha384;
++ break;
++ }
++ if ((pref_digest == cm_prefs_sha256) &&
++ ((strcmp(capability, "SHA-256") == 0) ||
++ (strcmp(capability, "SHA256") == 0))) {
++ cm_log(1, "Server supports SHA-256, using that.\n");
++ digest = cm_prefs_sha256;
++ break;
++ }
++ if ((pref_digest == cm_prefs_sha1) &&
++ ((strcmp(capability, "SHA-1") == 0) ||
++ (strcmp(capability, "SHA1") == 0))) {
++ cm_log(1, "Server supports SHA-1, using that.\n");
++ digest = cm_prefs_sha1;
++ break;
++ }
++ /* This remains for backward compatibility */
++ if ((pref_digest == cm_prefs_sha1) &&
++ (strcmp(capability, "MD5") == 0)) {
++ cm_log(1, "Server supports MD5, using that.\n");
++ digest = cm_prefs_md5;
++ break;
++ }
++ }
++ if (digest == cm_prefs_nodigest) {
++ /* Per the latest Draft RFC */
++ cm_log(1, "Could not determine supported CA capabilities, using SHA256.\n");
++ digest = cm_prefs_sha256;
++ }
+ }
+ if (old_cert != NULL) {
+ if (cm_pkcs7_envelope_ias(ca->cm_ca_encryption_cert, cipher,
+diff --git a/src/store-files.c b/src/store-files.c
+index 977e896..c7195c4 100644
+--- a/src/store-files.c
++++ b/src/store-files.c
+@@ -206,6 +206,8 @@ enum cm_store_file_field {
+ cm_store_ca_field_other_cert_nssdbs,
+
+ cm_store_ca_field_capabilities,
++ cm_store_ca_field_scep_cipher,
++ cm_store_ca_field_scep_digest,
+ cm_store_ca_field_scep_ca_identifier,
+ cm_store_ca_field_encryption_cert,
+ cm_store_ca_field_encryption_issuer_cert,
+@@ -385,6 +387,8 @@ static struct cm_store_file_field_list {
+ {cm_store_ca_field_other_cert_nssdbs, "ca_other_cert_dbs"},
+
+ {cm_store_ca_field_capabilities, "ca_capabilities"},
++ {cm_store_ca_field_scep_cipher, "scep_cipher"},
++ {cm_store_ca_field_scep_digest, "scep_digest"},
+ {cm_store_ca_field_scep_ca_identifier, "scep_ca_identifier"},
+ {cm_store_ca_field_encryption_cert, "ca_encryption_cert"},
+ {cm_store_ca_field_encryption_issuer_cert, "ca_encryption_issuer_cert"},
+@@ -725,6 +729,8 @@ cm_store_entry_read(void *parent, const char *filename, FILE *fp)
+ case cm_store_ca_field_other_root_cert_nssdbs:
+ case cm_store_ca_field_other_cert_nssdbs:
+ case cm_store_ca_field_capabilities:
++ case cm_store_ca_field_scep_cipher:
++ case cm_store_ca_field_scep_digest:
+ case cm_store_ca_field_scep_ca_identifier:
+ case cm_store_ca_field_encryption_cert:
+ case cm_store_ca_field_encryption_issuer_cert:
+@@ -1523,6 +1529,14 @@ cm_store_ca_read(void *parent, const char *filename, FILE *fp)
+ ret->cm_ca_capabilities =
+ free_if_empty_multi(ret, p);
+ break;
++ case cm_store_ca_field_scep_cipher:
++ ret->cm_ca_scep_cipher =
++ free_if_empty(p);
++ break;
++ case cm_store_ca_field_scep_digest:
++ ret->cm_ca_scep_digest =
++ free_if_empty(p);
++ break;
+ case cm_store_ca_field_scep_ca_identifier:
+ ret->cm_ca_scep_ca_identifier =
+ free_if_empty(p);
+@@ -2339,6 +2353,10 @@ cm_store_ca_write(FILE *fp, struct cm_store_ca *ca)
+ ca->cm_ca_other_cert_store_nssdbs);
+ cm_store_file_write_strs(fp, cm_store_ca_field_capabilities,
+ ca->cm_ca_capabilities);
++ cm_store_file_write_str(fp, cm_store_ca_field_scep_cipher,
++ ca->cm_ca_scep_cipher);
++ cm_store_file_write_str(fp, cm_store_ca_field_scep_digest,
++ ca->cm_ca_scep_digest);
+ cm_store_file_write_str(fp, cm_store_ca_field_scep_ca_identifier,
+ ca->cm_ca_scep_ca_identifier);
+ cm_store_file_write_str(fp, cm_store_ca_field_encryption_cert,
+@@ -2861,6 +2879,10 @@ cm_store_ca_dup(void *parent, struct cm_store_ca *ca)
+
+ ret->cm_ca_capabilities =
+ cm_store_maybe_strdupv(ret, ca->cm_ca_capabilities);
++ ret->cm_ca_scep_cipher =
++ cm_store_maybe_strdup(ret, ca->cm_ca_scep_cipher);
++ ret->cm_ca_scep_digest =
++ cm_store_maybe_strdup(ret, ca->cm_ca_scep_digest);
+ ret->cm_ca_scep_ca_identifier =
+ cm_store_maybe_strdup(ret, ca->cm_ca_scep_ca_identifier);
+ ret->cm_ca_encryption_cert =
+diff --git a/src/store-int.h b/src/store-int.h
+index 98b37e6..4a40406 100644
+--- a/src/store-int.h
++++ b/src/store-int.h
+@@ -349,6 +349,10 @@ struct cm_store_ca {
+ char **cm_ca_other_cert_store_nssdbs;
+ /* CA capabilities. Currently only ever SCEP capabilities. */
+ char **cm_ca_capabilities;
++ /* SCEP Cipher to use. Overrides CA Capabilities */
++ char *cm_ca_scep_cipher;
++ /* SCEP Digest to use. Overrides CA Capabilities */
++ char *cm_ca_scep_digest;
+ /* An SCEP CA identifier, for use in gathering an RA (and possibly a
+ * CA) certificate. */
+ char *cm_ca_scep_ca_identifier;
+diff --git a/src/tdbus.h b/src/tdbus.h
+index 7164f11..e63e783 100644
+--- a/src/tdbus.h
++++ b/src/tdbus.h
+@@ -119,6 +119,8 @@
+ #define CM_DBUS_PROP_ROOT_CERTS "root-certs"
+ #define CM_DBUS_PROP_OTHER_ROOT_CERTS "root-other-certs"
+ #define CM_DBUS_PROP_OTHER_CERTS "other-certs"
++#define CM_DBUS_PROP_SCEP_CIPHER "scep-cipher"
++#define CM_DBUS_PROP_SCEP_DIGEST "scep-digest"
+ #define CM_DBUS_PROP_SCEP_CA_IDENTIFIER "scep-ca-identifier"
+ #define CM_DBUS_PROP_SCEP_CA_CAPABILITIES "scep-ca-capabilities"
+ #define CM_DBUS_PROP_SCEP_RA_CERT "scep-ra-cert"
+diff --git a/src/tdbush.c b/src/tdbush.c
+index 04fe57e..3ce6c40 100644
+--- a/src/tdbush.c
++++ b/src/tdbush.c
+@@ -2128,6 +2128,27 @@ ca_get_serial(DBusConnection *conn, DBusMessage *msg,
+ }
+ }
+
++/* org.fedorahosted.certonger.ca.get_config_file_path */
++ca_get_config_file_path(DBusConnection *conn, DBusMessage *msg,
++ struct cm_client_info *ci, struct cm_context *ctx)
++{
++ DBusMessage *rep;
++ struct cm_store_ca *ca;
++ ca = get_ca_for_request_message(msg, ctx);
++ if (ca == NULL) {
++ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
++ }
++ rep = dbus_message_new_method_return(msg);
++ if (rep != NULL) {
++ cm_tdbusm_set_s(rep, ca->cm_store_private);
++ dbus_connection_send(conn, rep, NULL);
++ dbus_message_unref(rep);
++ return DBUS_HANDLER_RESULT_HANDLED;
++ } else {
++ return send_internal_ca_error(conn, msg);
++ }
++}
++
+ /* org.fedorahosted.certonger.ca.refresh */
+ static DBusHandlerResult
+ ca_refresh(DBusConnection *conn, DBusMessage *msg,
+@@ -2262,6 +2283,106 @@ ca_prop_set_external_helper(struct cm_context *ctx, void *parent,
+ }
+
+ static const char *
++ca_prop_get_scep_cipher(struct cm_context *ctx, void *parent,
++ void *record, const char *name)
++{
++ struct cm_store_ca *ca = record;
++
++ if (strcmp(name, CM_DBUS_PROP_SCEP_CIPHER) == 0) {
++ if (ca->cm_ca_type != cm_ca_external) {
++ return "";
++ }
++ if (ca->cm_ca_scep_cipher != NULL) {
++ return ca->cm_ca_scep_cipher;
++ } else {
++ return "";
++ }
++ }
++ return NULL;
++}
++
++static void
++ca_prop_set_scep_cipher(struct cm_context *ctx, void *parent,
++ void *record, const char *name,
++ const char *new_value)
++{
++ const char *propname[2], *path;
++ struct cm_store_ca *ca = record;
++ enum cm_ca_phase phase;
++
++ if (strcmp(name, CM_DBUS_PROP_SCEP_CIPHER) == 0) {
++ if (ca->cm_ca_type != cm_ca_external) {
++ return;
++ }
++ talloc_free(ca->cm_ca_scep_cipher);
++ ca->cm_ca_scep_cipher = new_value ?
++ talloc_strdup(ca, new_value) :
++ NULL;
++ for (phase = 0; phase < cm_ca_phase_invalid; phase++) {
++ cm_restart_ca(ctx, ca->cm_nickname, phase);
++ }
++ propname[0] = CM_DBUS_PROP_SCEP_CIPHER;
++ propname[1] = NULL;
++ path = talloc_asprintf(parent, "%s/%s",
++ CM_DBUS_CA_PATH,
++ ca->cm_busname);
++ cm_tdbush_property_emit_changed(ctx, path,
++ CM_DBUS_CA_INTERFACE,
++ propname);
++ }
++}
++
++static const char *
++ca_prop_get_scep_digest(struct cm_context *ctx, void *parent,
++ void *record, const char *name)
++{
++ struct cm_store_ca *ca = record;
++
++ if (strcmp(name, CM_DBUS_PROP_SCEP_DIGEST) == 0) {
++ if (ca->cm_ca_type != cm_ca_external) {
++ return "";
++ }
++ if (ca->cm_ca_scep_digest != NULL) {
++ return ca->cm_ca_scep_digest;
++ } else {
++ return "";
++ }
++ }
++ return NULL;
++}
++
++static void
++ca_prop_set_scep_digest(struct cm_context *ctx, void *parent,
++ void *record, const char *name,
++ const char *new_value)
++{
++ const char *propname[2], *path;
++ struct cm_store_ca *ca = record;
++ enum cm_ca_phase phase;
++
++ if (strcmp(name, CM_DBUS_PROP_SCEP_DIGEST) == 0) {
++ if (ca->cm_ca_type != cm_ca_external) {
++ return;
++ }
++ talloc_free(ca->cm_ca_scep_digest);
++ ca->cm_ca_scep_digest = new_value ?
++ talloc_strdup(ca, new_value) :
++ NULL;
++ for (phase = 0; phase < cm_ca_phase_invalid; phase++) {
++ cm_restart_ca(ctx, ca->cm_nickname, phase);
++ }
++ propname[0] = CM_DBUS_PROP_SCEP_DIGEST;
++ propname[1] = NULL;
++ path = talloc_asprintf(parent, "%s/%s",
++ CM_DBUS_CA_PATH,
++ ca->cm_busname);
++ cm_tdbush_property_emit_changed(ctx, path,
++ CM_DBUS_CA_INTERFACE,
++ propname);
++ }
++}
++
++static const char *
+ ca_prop_get_scep_ca_identifier(struct cm_context *ctx, void *parent,
+ void *record, const char *name)
+ {
+@@ -7232,6 +7353,14 @@ cm_tdbush_iface_ca(void)
+ if (ret == NULL) {
+ ret = make_interface(CM_DBUS_CA_INTERFACE,
+ make_interface_item(cm_tdbush_interface_method,
++ make_method("get_config_file_path",
++ ca_get_config_file_path,
++ make_method_arg("path",
++ DBUS_TYPE_STRING_AS_STRING,
++ cm_tdbush_method_arg_out,
++ NULL),
++ NULL),
++ make_interface_item(cm_tdbush_interface_method,
+ make_method("get_nickname",
+ ca_get_nickname,
+ make_method_arg("nickname",
+@@ -7483,6 +7612,24 @@ cm_tdbush_iface_ca(void)
+ NULL, NULL, NULL, NULL, NULL,
+ NULL),
+ make_interface_item(cm_tdbush_interface_property,
++ make_property(CM_DBUS_PROP_SCEP_CIPHER,
++ cm_tdbush_property_string,
++ cm_tdbush_property_readwrite,
++ cm_tdbush_property_special,
++ 0,
++ ca_prop_get_scep_cipher, NULL, NULL, NULL, NULL,
++ ca_prop_set_scep_cipher, NULL, NULL, NULL, NULL,
++ NULL),
++ make_interface_item(cm_tdbush_interface_property,
++ make_property(CM_DBUS_PROP_SCEP_DIGEST,
++ cm_tdbush_property_string,
++ cm_tdbush_property_readwrite,
++ cm_tdbush_property_special,
++ 0,
++ ca_prop_get_scep_digest, NULL, NULL, NULL, NULL,
++ ca_prop_set_scep_digest, NULL, NULL, NULL, NULL,
++ NULL),
++ make_interface_item(cm_tdbush_interface_property,
+ make_property(CM_DBUS_PROP_SCEP_CA_IDENTIFIER,
+ cm_tdbush_property_string,
+ cm_tdbush_property_readwrite,
+@@ -7527,7 +7674,7 @@ cm_tdbush_iface_ca(void)
+ NULL, NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL, NULL,
+ NULL),
+- NULL))))))))))))))))))))))))))))))))))));
++ NULL)))))))))))))))))))))))))))))))))))))));
+ }
+ return ret;
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/0023-Updates-per-Feedback.patch b/SOURCES/0023-Updates-per-Feedback.patch
new file mode 100644
index 0000000..4181934
--- /dev/null
+++ b/SOURCES/0023-Updates-per-Feedback.patch
@@ -0,0 +1,50 @@
+From 43392d48924d6d50ef2712947ddea424e723e171 Mon Sep 17 00:00:00 2001
+From: Trevor Vaughan <tvaughan@onyxpoint.com>
+Date: Tue, 27 Mar 2018 09:28:28 -0400
+Subject: [PATCH 23/25] Updates per Feedback
+
+Ref: #89
+---
+ src/scepgen-o.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/src/scepgen-o.c b/src/scepgen-o.c
+index 07c2b8b..05fc437 100644
+--- a/src/scepgen-o.c
++++ b/src/scepgen-o.c
+@@ -457,7 +457,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
+ _exit(1);
+ }
+
+- cm_log(1, "SCEP cipher authoritatively set to: '%s'\n", scep_cipher);
++ cm_log(1, "SCEP cipher set from configuration to: '%s'\n", scep_cipher);
+ }
+ else {
+ cipher = cm_prefs_nocipher;
+@@ -527,11 +527,11 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
+ digest = cm_prefs_md5;
+ }
+ else {
+- cm_log(1, "Option 'scep_digest' must be one of AES256, AES192, AES128, DES3, or DES. Got '%s'\n", scep_digest);
++ cm_log(1, "Option 'scep_digest' must be one of SHA512, SHA384, SHA256, SHA1, or MD5. Got '%s'\n", scep_digest);
+ _exit(1);
+ }
+
+- cm_log(1, "SCEP digest authoritatively set to: '%s'\n", scep_digest);
++ cm_log(1, "SCEP digest set from configuration to: '%s'\n", scep_digest);
+ }
+ else {
+ pref_digest = cm_prefs_preferred_digest();
+@@ -578,7 +578,8 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
+ }
+ }
+ if (digest == cm_prefs_nodigest) {
+- /* Per the latest Draft RFC */
++ /* Per SCEP RFC draft-gutmann-scep-10 - March 1, 2018 */
++ /* https://www.ietf.org/id/draft-gutmann-scep-10.txt */
+ cm_log(1, "Could not determine supported CA capabilities, using SHA256.\n");
+ digest = cm_prefs_sha256;
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/0024-Updated-tests.patch b/SOURCES/0024-Updated-tests.patch
new file mode 100644
index 0000000..9abebc1
--- /dev/null
+++ b/SOURCES/0024-Updated-tests.patch
@@ -0,0 +1,224 @@
+From 151699403803230e6d420b422cca13380b36e2a8 Mon Sep 17 00:00:00 2001
+From: Trevor Vaughan <tvaughan@onyxpoint.com>
+Date: Tue, 27 Mar 2018 18:04:34 -0400
+Subject: [PATCH 24/25] Updated tests
+
+Worked around the fact that data under the 'cas' directory is
+dynamically provisioned by moving from `cmp` to `diff -q -I` in
+run-tests.sh and excluding everything in the dynamically generated
+space.
+
+Ref #89
+---
+ tests/028-dbus/expected.out | 42 +++++++++++++++++++++++++++++++++++++++++-
+ tests/033-scep/run.sh | 6 +++---
+ tests/run-tests.sh | 4 +++-
+ 3 files changed, 47 insertions(+), 5 deletions(-)
+
+diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
+index 4c33e9a..dd9cac1 100644
+--- a/tests/028-dbus/expected.out
++++ b/tests/028-dbus/expected.out
+@@ -536,6 +536,9 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
+ </signal>
+ </interface>
+ <interface name="org.fedorahosted.certmonger.ca">
++ <method name="get_config_file_path">
++ <arg name="path" type="s" direction="out"/>
++ </method>
+ <method name="get_nickname">
+ <arg name="nickname" type="s" direction="out"/>
+ </method>
+@@ -580,6 +583,8 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
+ <property name="ca-presave-uid" type="s" access="read"/>
+ <property name="ca-postsave-command" type="s" access="read"/>
+ <property name="ca-postsave-uid" type="s" access="read"/>
++ <property name="scep-cipher" type="s" access="readwrite"/>
++ <property name="scep-digest" type="s" access="readwrite"/>
+ <property name="scep-ca-identifier" type="s" access="readwrite"/>
+ <property name="scep-ca-capabilities" type="as" access="read"/>
+ <property name="scep-ra-cert" type="s" access="read"/>
+@@ -588,6 +593,9 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
+ </interface>
+ </node>
+
++[ /org/fedorahosted/certmonger/cas/CA1: org.fedorahosted.certmonger.ca.get_config_file_path ]
++$tmpdir/cas/local
++
+ [ /org/fedorahosted/certmonger/cas/CA1: org.fedorahosted.certmonger.ca.get_nickname ]
+ local
+
+@@ -641,6 +649,9 @@ dbus.Array([], signature=dbus.Signature('s'))
+ </signal>
+ </interface>
+ <interface name="org.fedorahosted.certmonger.ca">
++ <method name="get_config_file_path">
++ <arg name="path" type="s" direction="out"/>
++ </method>
+ <method name="get_nickname">
+ <arg name="nickname" type="s" direction="out"/>
+ </method>
+@@ -685,6 +696,8 @@ dbus.Array([], signature=dbus.Signature('s'))
+ <property name="ca-presave-uid" type="s" access="read"/>
+ <property name="ca-postsave-command" type="s" access="read"/>
+ <property name="ca-postsave-uid" type="s" access="read"/>
++ <property name="scep-cipher" type="s" access="readwrite"/>
++ <property name="scep-digest" type="s" access="readwrite"/>
+ <property name="scep-ca-identifier" type="s" access="readwrite"/>
+ <property name="scep-ca-capabilities" type="as" access="read"/>
+ <property name="scep-ra-cert" type="s" access="read"/>
+@@ -693,6 +706,9 @@ dbus.Array([], signature=dbus.Signature('s'))
+ </interface>
+ </node>
+
++[ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_config_file_path ]
++$tmpdir/cas/20180327134236
++
+ [ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.get_nickname ]
+ SelfSign
+
+@@ -715,7 +731,7 @@ dbus.Array([], signature=dbus.Signature('s'))
+ [ /org/fedorahosted/certmonger/cas/CA2: org.fedorahosted.certmonger.ca.refresh ]
+ 1
+
+-/org/fedorahosted/certmonger/cas/CA2: warning: property org.fedorahosted.certmonger.ca.scep-ca-identifier not settable on this object
++/org/fedorahosted/certmonger/cas/CA2: property org.fedorahosted.certmonger.ca.scep-cipher not set: (, x)
+ [ /org/fedorahosted/certmonger/cas/CA3: org.freedesktop.DBus.Introspectable.Introspect ]
+ <!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
+@@ -748,6 +764,9 @@ dbus.Array([], signature=dbus.Signature('s'))
+ </signal>
+ </interface>
+ <interface name="org.fedorahosted.certmonger.ca">
++ <method name="get_config_file_path">
++ <arg name="path" type="s" direction="out"/>
++ </method>
+ <method name="get_nickname">
+ <arg name="nickname" type="s" direction="out"/>
+ </method>
+@@ -792,6 +811,8 @@ dbus.Array([], signature=dbus.Signature('s'))
+ <property name="ca-presave-uid" type="s" access="read"/>
+ <property name="ca-postsave-command" type="s" access="read"/>
+ <property name="ca-postsave-uid" type="s" access="read"/>
++ <property name="scep-cipher" type="s" access="readwrite"/>
++ <property name="scep-digest" type="s" access="readwrite"/>
+ <property name="scep-ca-identifier" type="s" access="readwrite"/>
+ <property name="scep-ca-capabilities" type="as" access="read"/>
+ <property name="scep-ra-cert" type="s" access="read"/>
+@@ -800,6 +821,9 @@ dbus.Array([], signature=dbus.Signature('s'))
+ </interface>
+ </node>
+
++[ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_config_file_path ]
++$tmpdir/cas/20180327134236-1
++
+ [ /org/fedorahosted/certmonger/cas/CA3: org.fedorahosted.certmonger.ca.get_nickname ]
+ IPA
+
+@@ -853,6 +877,9 @@ dbus.Array([], signature=dbus.Signature('s'))
+ </signal>
+ </interface>
+ <interface name="org.fedorahosted.certmonger.ca">
++ <method name="get_config_file_path">
++ <arg name="path" type="s" direction="out"/>
++ </method>
+ <method name="get_nickname">
+ <arg name="nickname" type="s" direction="out"/>
+ </method>
+@@ -897,6 +924,8 @@ dbus.Array([], signature=dbus.Signature('s'))
+ <property name="ca-presave-uid" type="s" access="read"/>
+ <property name="ca-postsave-command" type="s" access="read"/>
+ <property name="ca-postsave-uid" type="s" access="read"/>
++ <property name="scep-cipher" type="s" access="readwrite"/>
++ <property name="scep-digest" type="s" access="readwrite"/>
+ <property name="scep-ca-identifier" type="s" access="readwrite"/>
+ <property name="scep-ca-capabilities" type="as" access="read"/>
+ <property name="scep-ra-cert" type="s" access="read"/>
+@@ -905,6 +934,9 @@ dbus.Array([], signature=dbus.Signature('s'))
+ </interface>
+ </node>
+
++[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
++$tmpdir/cas/20180327134236-2
++
+ [ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
+ certmaster
+
+@@ -958,6 +990,9 @@ dbus.Array([], signature=dbus.Signature('s'))
+ </signal>
+ </interface>
+ <interface name="org.fedorahosted.certmonger.ca">
++ <method name="get_config_file_path">
++ <arg name="path" type="s" direction="out"/>
++ </method>
+ <method name="get_nickname">
+ <arg name="nickname" type="s" direction="out"/>
+ </method>
+@@ -1002,6 +1037,8 @@ dbus.Array([], signature=dbus.Signature('s'))
+ <property name="ca-presave-uid" type="s" access="read"/>
+ <property name="ca-postsave-command" type="s" access="read"/>
+ <property name="ca-postsave-uid" type="s" access="read"/>
++ <property name="scep-cipher" type="s" access="readwrite"/>
++ <property name="scep-digest" type="s" access="readwrite"/>
+ <property name="scep-ca-identifier" type="s" access="readwrite"/>
+ <property name="scep-ca-capabilities" type="as" access="read"/>
+ <property name="scep-ra-cert" type="s" access="read"/>
+@@ -1010,6 +1047,9 @@ dbus.Array([], signature=dbus.Signature('s'))
+ </interface>
+ </node>
+
++[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
++$tmpdir/cas/20180327134236-3
++
+ [ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
+ dogtag-ipa-renew-agent
+
+diff --git a/tests/033-scep/run.sh b/tests/033-scep/run.sh
+index 15480ac..f270a49 100755
+--- a/tests/033-scep/run.sh
++++ b/tests/033-scep/run.sh
+@@ -103,7 +103,7 @@ check_nonce() {
+ fi
+ }
+
+-set_digest md5
++set_digest sha256
+ $toolsdir/scepgen ca entry > scepdata
+
+ echo "[req, no trust root]"
+@@ -135,7 +135,7 @@ grep ^gic: scepdata | cut -f2- -d: | base64 -i -d | $toolsdir/pk7verify -r mini.
+ check_failed
+ echo OK
+ echo "[req, old root]"
+-set_digest md5
++set_digest sha256
+ $toolsdir/scepgen ca entry > scepdata
+ if test x`grep ^req: scepdata | cut -f2- -d:` = x ; then
+ echo missing req
+@@ -145,7 +145,7 @@ check_verified
+ check_msgtype $SCEP_MSGTYPE_PKCSREQ
+ check_txid
+ check_nonce
+-check_digest md5
++check_digest sha256
+ echo OK
+ echo "[gic, old trust root]"
+ set_digest sha1
+diff --git a/tests/run-tests.sh b/tests/run-tests.sh
+index a0f7c2d..266ddc6 100755
+--- a/tests/run-tests.sh
++++ b/tests/run-tests.sh
+@@ -77,7 +77,9 @@ for testid in "$@" $subdirs ; do
+ if ! test -s "$i" ; then
+ break
+ fi
+- if cmp -s "$tmpfile" "$i" 2> /dev/null ; then
++ # This regex needs to be ignored since it is dynamically created at
++ # every CA creation
++ if diff -q -I "tmpdir/cas/[[:digit:]]\+" "$tmpfile" "$i" 2> /dev/null ; then
+ stat=0
+ echo "OK"
+ cp $tmpfile "$builddir"/"$testid"/actual.out
+--
+1.8.3.1
+
diff --git a/SOURCES/0025-Add-cipher-and-digest-difference-messages.patch b/SOURCES/0025-Add-cipher-and-digest-difference-messages.patch
new file mode 100644
index 0000000..f4ec184
--- /dev/null
+++ b/SOURCES/0025-Add-cipher-and-digest-difference-messages.patch
@@ -0,0 +1,38 @@
+From 8ee05aae1f0a85bcd763cde1dfcc8a33be85c35c Mon Sep 17 00:00:00 2001
+From: Trevor Vaughan <tvaughan@onyxpoint.com>
+Date: Wed, 11 Apr 2018 16:01:13 -0400
+Subject: [PATCH 25/25] Add cipher and digest difference messages
+
+Ensure that users know that AES is the cipher and SHA is the digest when
+CA capabilities are not supported.
+
+Ref #89
+---
+ src/scepgen-o.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/scepgen-o.c b/src/scepgen-o.c
+index 05fc437..7120ade 100644
+--- a/src/scepgen-o.c
++++ b/src/scepgen-o.c
+@@ -503,7 +503,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
+ }
+ if (cipher == cm_prefs_nocipher) {
+ /* Per the latest Draft RFC */
+- cm_log(1, "Could not determine supported CA capabilities, using AES256.\n");
++ cm_log(1, "Could not determine supported CA capabilities, using cipher AES256.\n");
+ cipher = cm_prefs_aes256;
+ }
+ }
+@@ -580,7 +580,7 @@ cm_scepgen_o_cooked(struct cm_store_ca *ca, struct cm_store_entry *entry,
+ if (digest == cm_prefs_nodigest) {
+ /* Per SCEP RFC draft-gutmann-scep-10 - March 1, 2018 */
+ /* https://www.ietf.org/id/draft-gutmann-scep-10.txt */
+- cm_log(1, "Could not determine supported CA capabilities, using SHA256.\n");
++ cm_log(1, "Could not determine supported CA capabilities, using digest SHA256.\n");
+ digest = cm_prefs_sha256;
+ }
+ }
+--
+1.8.3.1
+
diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec
index f817f50..bc3d46e 100644
--- a/SPECS/certmonger.spec
+++ b/SPECS/certmonger.spec
@@ -26,7 +26,7 @@
Name: certmonger
Version: 0.78.4
-Release: 10%{?dist}
+Release: 11%{?dist}
Summary: Certificate status monitor and PKI enrollment client
Group: System Environment/Daemons
@@ -55,6 +55,13 @@ Patch0016: 0016-MS-cert-template-add-option-to-command-line-programs.patch
Patch0017: 0017-MS-cert-template-validate-argument.patch
Patch0018: 0018-MS-cert-template-add-tests.patch
Patch0019: 0019-Fix-C99-build-error-on-EL7-systems.patch
+Patch0020: 0020-If-stderr-is-not-a-tty-log-to-syslog-so-the-helpers-.patch
+Patch0021: 0021-On-PKCS-7-verify-failures-log-the-PKCS-7-file-fix-va.patch
+Patch0022: 0022-Allow-configuration-of-client-SCEP-algorithms.patch
+Patch0023: 0023-Updates-per-Feedback.patch
+Patch0024: 0024-Updated-tests.patch
+Patch0025: 0025-Add-cipher-and-digest-difference-messages.patch
+
Patch1001: 1001-Remove-rekey-feature.patch
Patch1002: 1002-Fix-CA-option-name-for-ipa-cert-request.patch
@@ -275,6 +282,10 @@ exit 0
%endif
%changelog
+* Tue Feb 12 2019 Rob Crittenden <rcritten@redhat.com> - 0.78.4-11
+- Increase SCEP spec compliance, set more secure default cipher and hash.
+ (#1533216)
+
* Fri Aug 24 2018 Rob Crittenden <rcritten@redhat.com> - 0.78.4-10
- Backport patches to add support for the MS Certificate Template V2
extension (#1622184)