Charles Hedrick via FreeIPA-users wrote:
the error is
The KDC certificate in cert.pem, privkey.pem is not valid: invalid for a KDC
A PKINIT certificate needs an EKU extension, https://datatracker.ietf.org/doc/html/rfc4556
When generating the key with OpenSSL you need to include "-extensions kdc_cert"
rob
*From:* Charles Hedrick via FreeIPA-users freeipa-users@lists.fedorahosted.org *Sent:* Wednesday, June 15, 2022 3:39 PM *To:* freeipa-users@lists.fedorahosted.org freeipa-users@lists.fedorahosted.org *Cc:* Charles Hedrick hedrick@rutgers.edu *Subject:* [Freeipa-users] ipa-server-certinstall -k ipa-server-certinstall works fine for http and ldap. But I can't get the -k option to work.
I've tried cert.pem and privkey.pem with and without chain.pem, as well as fullchain.pem and privkey.pem (fullchain has both the cert and the chain).
The certs were issued by Internet2, which chains up to addtrust.
kinit -n works fine if I install the pem files manually, so presumably my files are valid.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Wed, Jun 15, 2022 at 04:23:30PM -0400, Rob Crittenden via FreeIPA-users wrote:
Charles Hedrick via FreeIPA-users wrote:
the error is
The KDC certificate in cert.pem, privkey.pem is not valid: invalid for a KDC
A PKINIT certificate needs an EKU extension, https://datatracker.ietf.org/doc/html/rfc4556
When generating the key with OpenSSL you need to include "-extensions kdc_cert"
It's unlikely that publicly trusted CAs will issue certs with id-pkinit-KPKdc in EKU. CABForum Baseline Requirements[1] 7.1.2.3(f) says:
Either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both values MUST be present. id-kp-emailProtection [RFC5280] MAY be present. Other values SHOULD NOT be present.
[1]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.4.pdf
Charles, you might need to use a certificate issued directly by the IPA CA for your KDC, or else do without PKINIT.
Thanks, Fraser
*From:* Charles Hedrick via FreeIPA-users freeipa-users@lists.fedorahosted.org *Sent:* Wednesday, June 15, 2022 3:39 PM *To:* freeipa-users@lists.fedorahosted.org freeipa-users@lists.fedorahosted.org *Cc:* Charles Hedrick hedrick@rutgers.edu *Subject:* [Freeipa-users] ipa-server-certinstall -k ipa-server-certinstall works fine for http and ldap. But I can't get the -k option to work.
I've tried cert.pem and privkey.pem with and without chain.pem, as well as fullchain.pem and privkey.pem (fullchain has both the cert and the chain).
The certs were issued by Internet2, which chains up to addtrust.
kinit -n works fine if I install the pem files manually, so presumably my files are valid.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Keeping our own certificates up to date on the various types of clients is messy enough that we gave up on that.
The only thing we would actually use it for is kinit -n, to bootstrap kinit for OTP. While kinit -n would be the most elegant way to do it, we have several other approaches.
Documentation seems to say that if pkinit_eku_checking is set to kpServerAuth, we don't need the extension. I've found that kinit -n actually does work when the client sets this. However I have to install the certificates manually on the KDC, since the command won't do it.
________________________________ From: Fraser Tweedale ftweedal@redhat.com Sent: Sunday, June 19, 2022 11:34 PM To: Charles Hedrick hedrick@rutgers.edu; Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org Cc: Rob Crittenden rcritten@redhat.com Subject: Re: [Freeipa-users] Re: ipa-server-certinstall -k
On Wed, Jun 15, 2022 at 04:23:30PM -0400, Rob Crittenden via FreeIPA-users wrote:
Charles Hedrick via FreeIPA-users wrote:
the error is
The KDC certificate in cert.pem, privkey.pem is not valid: invalid for a KDC
A PKINIT certificate needs an EKU extension, https://datatracker.ietf.org/doc/html/rfc4556
When generating the key with OpenSSL you need to include "-extensions kdc_cert"
It's unlikely that publicly trusted CAs will issue certs with id-pkinit-KPKdc in EKU. CABForum Baseline Requirements[1] 7.1.2.3(f) says:
Either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both values MUST be present. id-kp-emailProtection [RFC5280] MAY be present. Other values SHOULD NOT be present.
[1]: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.4.pdf
Charles, you might need to use a certificate issued directly by the IPA CA for your KDC, or else do without PKINIT.
Thanks, Fraser
*From:* Charles Hedrick via FreeIPA-users freeipa-users@lists.fedorahosted.org *Sent:* Wednesday, June 15, 2022 3:39 PM *To:* freeipa-users@lists.fedorahosted.org freeipa-users@lists.fedorahosted.org *Cc:* Charles Hedrick hedrick@rutgers.edu *Subject:* [Freeipa-users] ipa-server-certinstall -k
ipa-server-certinstall works fine for http and ldap. But I can't get the -k option to work.
I've tried cert.pem and privkey.pem with and without chain.pem, as well as fullchain.pem and privkey.pem (fullchain has both the cert and the chain).
The certs were issued by Internet2, which chains up to addtrust.
kinit -n works fine if I install the pem files manually, so presumably my files are valid.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org