Hi Flo,
Is there anything I can do to help troubleshoot this issue? Or is there
a bugzilla issue I can watch?
Flo wasn't able to reproduce this so there is no bug unless you file one.
I'd look at the CA to see what the signer is:
# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias/
There may be 2 caSigningCert entries, one for each of the external CAs
# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias/ -n 'caSigningCert
cert-pki-ca'
This should show both of them, it can just be confusing since they will
be one right after the other though it won't be clear which one that NSS
is picking for signing. It will confirm (or not) that the CA cert has
been updated at all.
rob
Thanks,
Steve
On Wed, Dec 20, 2017 at 8:32 PM, Steve Dainard <sdainard(a)spd1.com
<mailto:sdainard@spd1.com>> wrote:
On Wed, Dec 20, 2017 at 12:53 AM, Florence Blanc-Renaud
<flo(a)redhat.com <mailto:flo@redhat.com>> wrote:
On 12/19/2017 06:59 PM, Steve Dainard via FreeIPA-users wrote:
Hi Flo,
On Tue, Dec 19, 2017 at 8:17 AM, Florence Blanc-Renaud
<flo(a)redhat.com <mailto:flo@redhat.com>
<mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote:
On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users
wrote:
Hello,
Using freeipa 4.5.
I've replaced an external root CA that had a very
short key, and
have gone through the process of resigning the ipa
intermediate-CA.
I've used ipa-cacert-manage to generate a new csr
and have
signed it with my new external CA. The cert was
successfully
imported.
I also ran ipa-certupdate on 2 of 2 ipa servers and
I can see
the new CA listed on both ipa servers with 'certutil
-L -d
/etc/pki/pki-tomcat/alias'
When I run 'ipa-getcert resubmit -n Server-Cert -d
/etc/httpd/alias' on an ipa server the certificate is
resubmitted, but its still being signed by the old ipa
intermediate-CA.
Hi,
you changed the external root CA when renewing IPA CA,
meaning that
IPA CA has a new cert chain containing the ext root CA,
but IPA CA
keeps the same subject name "CN=Certificate
Authority,O=DOMAIN.COM <
http://DOMAIN.COM>
<
http://DOMAIN.COM>".
The command resubmit asks IPA CA to renew the
Server-Cert. So it is
expected that you see the same "old ipa intermediate CA"
as issuer
of your Server-Cert for HTTPd.
To double check I ran through the process of requesting an
http cert on a new server, and indeed the Issuer CN is the
same "CN=Certificate
Authority,O=DOMAIN.COM
<
http://DOMAIN.COM> <
http://DOMAIN.COM>" (which makes sense
from your answer). But when I look at the http cert I just
requested, the IPA CA cert 'Issued CN' field is the old
external CA.
Hi,
which command are you running to check the IPA CA cert issuer?
I hadn't trusted the new external root CA on my client browser so I
expected a trust exception which I didn't encounter, so I just
looked at the cert in the browser and noticed the ipa CA issuer CN
was the old external ca.
Flo
To get my client cert I followed the process here:
https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Cert...
<
https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Cert...;.
One of the first steps is to pull the ipa ca's into the
nssdb. I have 4 certs in that file now which builds the
chain for old ext ca/old ipa ca, new ext ca/new ipa ca. I
don't think this has any impact on the cert request process
but it does show that both chains are in ipa.
I also see in the web ui under Authentication ->
Certificates ->
Certificate Authorities that only one ca named 'ipa'
exists, and
I can see the Issuer DN is still the old root CA.
This is a bug tracked in issue 7316: The Issuer DN field
in IPA is
not updating properly [1]. The webui and the command ipa
ca-show ipa
read the issuer name from an LDAP entry that is not
updated. But if
you look at the content of the certificate, you will be
able to
check that the issuer is indeed the new external root CA.
How can I invalidate the old intermediate-CA so the new
intermediate-CA is used to sign certs going forwards?
Thanks,
Steve
_______________________________________________
FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>
HTH,
Flo
[1]
https://pagure.io/freeipa/issue/7316
<
https://pagure.io/freeipa/issue/7316>
<
https://pagure.io/freeipa/issue/7316
<
https://pagure.io/freeipa/issue/7316>>
_______________________________________________
FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org