Hi all,
For a project we want to use FreeIPA with external CA. We are using v4.6.6 on centos7.8.
The guides instruct to use command ”ipa-server-install --external-ca”, get the CSR and run the install command again using the signed certificate.
Issue 1: key length is 2048 Fix: Found that this can be changed in file /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py Add under: # CA key algorithm # config.set("CA", "pki_ca_signing_key_size", 4096)
Issue 2: Subject DN The subject on the certificate request is “CN=Certificate Authority,O=[realm]” but the root-ca requires us to have in the format: CN=FREEIPA 2020,serialNumber=XxXx,O=xxx,C=XX
Q: Is it possible to install the FreeIPA server using the external root-ca and a signed certificate from the beginning? (csr created outside ipa-server-install command)
Q: Is it possible to alter the information on the certificate request to match the root-ca’s requirements?
Thanks, Anestis
On Tue, Nov 17, 2020 at 12:53:19PM -0000, A. Karampatziakis via FreeIPA-users wrote:
Hi all,
For a project we want to use FreeIPA with external CA. We are using v4.6.6 on centos7.8.
The guides instruct to use command ”ipa-server-install --external-ca”, get the CSR and run the install command again using the signed certificate.
Issue 1: key length is 2048 Fix: Found that this can be changed in file /usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py Add under: # CA key algorithm # config.set("CA", "pki_ca_signing_key_size", 4096)
Issue 2: Subject DN The subject on the certificate request is “CN=Certificate Authority,O=[realm]” but the root-ca requires us to have in the format: CN=FREEIPA 2020,serialNumber=XxXx,O=xxx,C=XX
Q: Is it possible to install the FreeIPA server using the external root-ca and a signed certificate from the beginning? (csr created outside ipa-server-install command)
Not at this time. Maybe in the future.
Q: Is it possible to alter the information on the certificate request to match the root-ca’s requirements?
Use the `--ca-subject' option of ipa-server-install.
Cheers, Fraser
Hi Fraser,
Thanks for the quick reply. We had tried the --ca-subject before with no success.. It turns out the problem was with the order of the components in the DN. Your comment helped to go through the contents of the files once more. :)
The csr had: Subject: CN = XXxXxxX YYyY,O = XXxX XxX,C = XX Whereas the certificate returned by the root-ca had: Subject: C = XX,O = XXxX XxX,CN = XXxXxxX YYyY
FreeIPA was giving a clear enough message.. ipapython.admintool: ERROR IPA CA certificate with subject 'CN=XXxXXX,O=XXxXX,C=XX' was not found in /root/server.crt,/root/ca.crt.
Regards, Anestis
On Tue, Nov 17, 2020 at 06:21:51PM -0000, A. Karampatziakis via FreeIPA-users wrote:
Hi Fraser,
Thanks for the quick reply. We had tried the --ca-subject before with no success.. It turns out the problem was with the order of the components in the DN. Your comment helped to go through the contents of the files once more. :)
The csr had: Subject: CN = XXxXxxX YYyY,O = XXxX XxX,C = XX Whereas the certificate returned by the root-ca had: Subject: C = XX,O = XXxX XxX,CN = XXxXxxX YYyY
FreeIPA was giving a clear enough message.. ipapython.admintool: ERROR IPA CA certificate with subject 'CN=XXxXXX,O=XXxXX,C=XX' was not found in /root/server.crt,/root/ca.crt.
Hi Anestis,
So the root CA is reordering the RDNs. What software is used by the root CA? Maybe its configuration or the certificate profile/template can be altered to give the desired result.
Otherwise, try again using --ca-subject but give the RDNs in the order the CA used (C,O,CN). Maybe the CA will agree (or maybe it will reverse the order back to (CN,O,C).
Note that different programs express RDNs in different order. FreeIPA and NSS have "most specific" RDN at the left, whereas OpenSSL have "most specific" RDN at the right. It is possible this resulted in a confusion and misconfiguration somewhere?
Cheers, Fraser
Regards, Anestis _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Yes, that appears to be the problem. We have not confirmed it yet with the customer, but tests we did with a test root-ca (openssl) did show that the certificate needs to have the same order of the DN components as the csr in order for FreeIPA to accept it.
Our tests also showed that we can set the order on both sides, meaning that the FreeIPA server accepted the certificate if it was signed with (FreeIPA and NSS) CSR: CN,O,C CERT: CN,O,C and (OpenSSL) CSR: C,O,CN CERT: C,O,CN
The order of the values can be configured on either the FreeIPA server when creating the csr by rearanging the order of the DN components or on the root-ca end with modifying the configuration file openssl uses:
[ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied name = optional emailAddress = optional
Thanks, Anestis
freeipa-users@lists.fedorahosted.org