The profile: it literally was the caUserCert.cfg profile with a few minor changes: Removed rsa 1024 key length and removed MD5 encryption algorithms.
Command sequence:
Add the modified profile: ipa certprofile-import caUserCert --file caUserCert_mod.cfg --store TRUE --desc "User certificate used for authentication"
Create a dpatte.conf file has the exact same entries like your instructions Requested a key and csr file: openssl req -new -key key.pem -out dpatte.csr -config dpatte.conf ipa cert-request dpatte.csr --principal dpatte --profile-id caUserCert
Result: "Subject Name Not Found"
The debug log shows a trace of a java error. Just a guess on my part, but I suspect that the caUserCert profile requires three inputs one of which is subjectNameinputImpl. I suspect what I'm providing isn't what is required hence the first line of the java trace in debug file: "at com.netscape.cms.profile.input.SubjectNameInput.populate(SubjectNameInput.java:269)"
I've followed your blog post using caIPAserviceCert.cfg making modifications to some defaults/constraints (like above) and it works. Now my ssh keys don't work to permit access to systems. Can I have both a cert and ssh keys? When I have a cert, ssh logs say your sshkey has been rejected by the server. When I remove the cert, sshkey is accepted.
Thanks for the insight and help!
David Patterson
-----Original Message-----
From: Fraser Tweedale <ftweedal(a)redhat.com>
Sent: Sunday, July 07, 2019 11:55 PM
To: Patterson, David <dpatte(a)sandia.gov>
Subject: [EXTERNAL] Re: caUserCert
On Wed, Jul 03, 2019 at 08:42:41PM +0000, Patterson, David wrote:
> Hello,
>
> I followed your blog post from 8-6-2015 about User Certificates and
> Custom Profiles with FreeIPA 4.2 to attempt to create user
> certificates. I'm trying to use the caUserCert template, instead of
> the caIPAserviceCert template.
>
> I've tried variations on different CN=, even modified my ldap entry to
> change my CN to dpatte, but always this error. ipa:
> ERROR: Request failed with status 500: Non-2xx response from CA REST
> API: 500. Subject Name Not Found
>
> I've done a bunch of googling to see what this error means, but
> never found an answer. Can you shed some light?
>
> Thanks!
>
> David Patterson
> Sandia National Laboratories
>
Hi David,
Sorry for belated reply; I was on vacation last week.
The "outer" part of the error comes from the FreeIPA server when an backend HTTP request to the Dogtag CA fails. The "inner" part ("Subject Name Not Found") is used by several Dogtag profile components, and usually indicates that something went wrong constructing the certificate Subject DN.
Can you please provide more detail: what is the profile configuration, what is the exact sequence of commands leading to the failure? The debug log from /var/log/pki/pki-tomcat/ca/ may also shed some light.
Do you want to Cc the public mailing list freeipa-users(a)lists.fedorahosted.org? Then others besides me could assist (and benefit from the solution). Up to you of course.
Cheers,
Fraser