On Wed, Dec 20, 2017 at 12:53 AM, Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
On 12/19/2017 06:59 PM, Steve Dainard via FreeIPA-users wrote:
> Hi Flo,
>
>
> On Tue, Dec 19, 2017 at 8:17 AM, Florence Blanc-Renaud <flo(a)redhat.com
> <mailto:flo@redhat.com>> wrote:
>
> On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote:
>
> Hello,
>
> Using freeipa 4.5.
>
> I've replaced an external root CA that had a very short key, and
> have gone through the process of resigning the ipa
> intermediate-CA.
>
> I've used ipa-cacert-manage to generate a new csr and have
> signed it with my new external CA. The cert was successfully
> imported.
>
> I also ran ipa-certupdate on 2 of 2 ipa servers and I can see
> the new CA listed on both ipa servers with 'certutil -L -d
> /etc/pki/pki-tomcat/alias'
>
> When I run 'ipa-getcert resubmit -n Server-Cert -d
> /etc/httpd/alias' on an ipa server the certificate is
> resubmitted, but its still being signed by the old ipa
> intermediate-CA.
>
> Hi,
>
> you changed the external root CA when renewing IPA CA, meaning that
> IPA CA has a new cert chain containing the ext root CA, but IPA CA
> keeps the same subject name "CN=Certificate
Authority,O=DOMAIN.COM
> <
http://DOMAIN.COM>".
>
> The command resubmit asks IPA CA to renew the Server-Cert. So it is
> expected that you see the same "old ipa intermediate CA" as issuer
> of your Server-Cert for HTTPd.
>
>
> To double check I ran through the process of requesting an http cert on a
> new server, and indeed the Issuer CN is the same "CN=Certificate
>
Authority,O=DOMAIN.COM <
http://DOMAIN.COM>" (which makes sense from your
> answer). But when I look at the http cert I just requested, the IPA CA cert
> 'Issued CN' field is the old external CA.
>
> Hi,
which command are you running to check the IPA CA cert issuer?
I hadn't trusted the new external root CA on my client browser so I
expected a trust exception which I didn't encounter, so I just looked at
the cert in the browser and noticed the ipa CA issuer CN was the old
external ca.
Flo
To get my client cert I followed the process here:
>
https://www.freeipa.org/page/PKI#Automated_certificate_reque
> sts_with_Certmonger. One of the first steps is to pull the ipa ca's into
> the nssdb. I have 4 certs in that file now which builds the chain for old
> ext ca/old ipa ca, new ext ca/new ipa ca. I don't think this has any impact
> on the cert request process but it does show that both chains are in ipa.
>
>
>
> I also see in the web ui under Authentication -> Certificates ->
> Certificate Authorities that only one ca named 'ipa' exists, and
> I can see the Issuer DN is still the old root CA.
>
>
> This is a bug tracked in issue 7316: The Issuer DN field in IPA is
> not updating properly [1]. The webui and the command ipa ca-show ipa
> read the issuer name from an LDAP entry that is not updated. But if
> you look at the content of the certificate, you will be able to
> check that the issuer is indeed the new external root CA.
>
>
> How can I invalidate the old intermediate-CA so the new
> intermediate-CA is used to sign certs going forwards?
>
>
> Thanks,
> Steve
>
>
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>
>
> HTH,
> Flo
>
> [1]
https://pagure.io/freeipa/issue/7316
> <
https://pagure.io/freeipa/issue/7316>
>
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
>
rahosted.org
>
>