Hi,
I am trying to configure FreeIPA as a SubCA, and the "RootCA" is self-made with
openssl. So I've signed the FreeIPA's request with my self-signed "root
ca" certificate, but it looks like FreeIPA doesn't like it:
ipa-server-install --external-cert-file=/root/rootca/rootcacert.pem
--external-cert-file=/root/rootca/certs/ipacert.pem
<...skipped...>
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR CA certificate
CN=RootCA,OU=PRJ,O=COMPANY,L=Bonn,C=DE in /root/rootca/rootcacert.pem,
/root/rootca/certs/ipacert.pem is not valid: not a CA certificate
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The
ipa-server-install command failed. See /var/log/ipaserver-install.log for more
information
The subj above is my self-made root CA cert, so it looks like something is missing in it.
But what...?
Here is it below, it has the "Basic Constraint" set with CA:TRUE... What else is
required, so that FreeIPA accepts it as a root CA?
Should I add it somewhere first, before running the ipa-server-install?
[root@ipa ~]# openssl x509 -text -noout -in /root/rootca/rootcacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Validity
Not Before: Oct 24 11:43:13 2018 GMT
Not After : Oct 21 11:43:13 2028 GMT
Subject: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
<...skipped...>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Authority Key Identifier:
keyid:B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
<...skipped...>
Thanks!!
Show replies by date
Sorry, I've figured it out myself...
The problem was not with the Root CA certificate, the reported error is misleading here.
Actually, the problem was with the certificate generated for the FreeIPA itself.
It had CA:FALSE, because I forgot to select the right extension profile when signing it
with my openssl "pseudo-CA".
I've reissued the certificate for FreeIPA with "CA:TRUE" - and it accepted
it.
Can you share the commands you followed. I am facing the same issues