Hi Flo,
On 12/12/17 2:50 PM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 12/10/2017 10:58 AM, Harald Dunkel via FreeIPA-users wrote:
> Hi Flo,
>
> On 12/08/17 15:36, Florence Blanc-Renaud via FreeIPA-users wrote:
>> Hi,
>>
>> I would try to remove the new root CA from LDAP and re-import it using
ipa-cacert-manage install -t C,,
>> This should create the entry with the appropriate attributes.
>>
>> Flo
> Result: The new root CA certificate shows much better attributes in ldap:
>
> dn: cn=CN\3Droot-CA\2COU\3Dexample Certificate Authority\2CO\3Dexample
AG\2CC\3DDE,cn=certificates,cn=ipa,cn=etc,dc=example,dc=de
> ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
> cn: CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE
> objectClass: ipaCertificate
> objectClass: pkiCA
> objectClass: ipaKeyPolicy
> objectClass: top
> ipaCertSubject: CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE
> ipaPublicKey:: MIICIjAN...
> cACertificate;binary:: MIIGDTCC...
> ipaKeyTrust: trusted
> ipaCertIssuerSerial: CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE;1
>
>
> A lot of ipaKeyExtUsage attributes appear to be missing, though, compared to the
> old root CA certificate. Is this expected?
>
The ipaKeyExtUsage attribute is built from the trust flags provided to ipa-cacert-manage
install, so it looks normal for me.
My concern is, it looks much more restricted than the old root CA
cerificate:
# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE C,,
Shouldn't it be "CT,C,C" as well?
>
ipa-certupdate needs to be run with a kerberos ticket. Did you run kinit admin before
launching the command, and is your ticket still valid (klist will provide the expiration
date)?
Nope, that was the problem. I was just looking for the certificate,
ignoring Kerberos.
ipa-cert-update said
# ipa-certupdate
trying
https://ipa1.example.de/ipa/json
[try 1]: Forwarding 'schema' to json server
'https://ipa1.example.de/ipa/json'
trying
https://ipa1.example.de/ipa/json
[try 1]: Forwarding 'ca_is_enabled' to json server
'https://ipa1.example.de/ipa/json'
[try 1]: Forwarding 'ca_find/1' to json server
'https://ipa1.example.de/ipa/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
dmesg shows that there was a core dump:
[108604.869633] ns-slapd[23051]: segfault at 10 ip 00007fb60841dc30 sp 00007fb60af56c88
error 4 in libpthread-2.17.so[7fb608414000+17000]
Problem: The certificate in /etc/ipa/ca.crt and /usr/share/ipa/html/\
ca.crt is still old. The files have been touched, but not replaced
by the new certificate.
Regards
Harri