Hi Flo,
Is there anything I can do to help troubleshoot this issue? Or is there a
bugzilla issue I can watch?
Thanks,
Steve
On Wed, Dec 20, 2017 at 8:32 PM, Steve Dainard <sdainard(a)spd1.com> wrote:
On Wed, Dec 20, 2017 at 12:53 AM, Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
> On 12/19/2017 06:59 PM, Steve Dainard via FreeIPA-users wrote:
>
>> Hi Flo,
>>
>>
>> On Tue, Dec 19, 2017 at 8:17 AM, Florence Blanc-Renaud <flo(a)redhat.com
>> <mailto:flo@redhat.com>> wrote:
>>
>> On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote:
>>
>> Hello,
>>
>> Using freeipa 4.5.
>>
>> I've replaced an external root CA that had a very short key, and
>> have gone through the process of resigning the ipa
>> intermediate-CA.
>>
>> I've used ipa-cacert-manage to generate a new csr and have
>> signed it with my new external CA. The cert was successfully
>> imported.
>>
>> I also ran ipa-certupdate on 2 of 2 ipa servers and I can see
>> the new CA listed on both ipa servers with 'certutil -L -d
>> /etc/pki/pki-tomcat/alias'
>>
>> When I run 'ipa-getcert resubmit -n Server-Cert -d
>> /etc/httpd/alias' on an ipa server the certificate is
>> resubmitted, but its still being signed by the old ipa
>> intermediate-CA.
>>
>> Hi,
>>
>> you changed the external root CA when renewing IPA CA, meaning that
>> IPA CA has a new cert chain containing the ext root CA, but IPA CA
>> keeps the same subject name "CN=Certificate
Authority,O=DOMAIN.COM
>> <
http://DOMAIN.COM>".
>>
>> The command resubmit asks IPA CA to renew the Server-Cert. So it is
>> expected that you see the same "old ipa intermediate CA" as issuer
>> of your Server-Cert for HTTPd.
>>
>>
>> To double check I ran through the process of requesting an http cert on
>> a new server, and indeed the Issuer CN is the same "CN=Certificate
>>
Authority,O=DOMAIN.COM <
http://DOMAIN.COM>" (which makes sense from
>> your answer). But when I look at the http cert I just requested, the IPA CA
>> cert 'Issued CN' field is the old external CA.
>>
>> Hi,
>
> which command are you running to check the IPA CA cert issuer?
>
I hadn't trusted the new external root CA on my client browser so I
expected a trust exception which I didn't encounter, so I just looked at
the cert in the browser and noticed the ipa CA issuer CN was the old
external ca.
>
> Flo
>
> To get my client cert I followed the process here:
>>
https://www.freeipa.org/page/PKI#Automated_certificate_reque
>> sts_with_Certmonger. One of the first steps is to pull the ipa ca's
>> into the nssdb. I have 4 certs in that file now which builds the chain for
>> old ext ca/old ipa ca, new ext ca/new ipa ca. I don't think this has any
>> impact on the cert request process but it does show that both chains are in
>> ipa.
>>
>>
>>
>> I also see in the web ui under Authentication -> Certificates ->
>> Certificate Authorities that only one ca named 'ipa' exists, and
>> I can see the Issuer DN is still the old root CA.
>>
>>
>> This is a bug tracked in issue 7316: The Issuer DN field in IPA is
>> not updating properly [1]. The webui and the command ipa ca-show ipa
>> read the issuer name from an LDAP entry that is not updated. But if
>> you look at the content of the certificate, you will be able to
>> check that the issuer is indeed the new external root CA.
>>
>>
>> How can I invalidate the old intermediate-CA so the new
>> intermediate-CA is used to sign certs going forwards?
>>
>>
>> Thanks,
>> Steve
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list --
>> freeipa-users(a)lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>>
>>
>> HTH,
>> Flo
>>
>> [1]
https://pagure.io/freeipa/issue/7316
>> <
https://pagure.io/freeipa/issue/7316>
>>
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
>>
rahosted.org
>>
>>
>