Hi,
I am trying to configure FreeIPA as a SubCA, and the "RootCA" is self-made with openssl. So I've signed the FreeIPA's request with my self-signed "root ca" certificate, but it looks like FreeIPA doesn't like it:
ipa-server-install --external-cert-file=/root/rootca/rootcacert.pem --external-cert-file=/root/rootca/certs/ipacert.pem <...skipped...> ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR CA certificate CN=RootCA,OU=PRJ,O=COMPANY,L=Bonn,C=DE in /root/rootca/rootcacert.pem, /root/rootca/certs/ipacert.pem is not valid: not a CA certificate ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The subj above is my self-made root CA cert, so it looks like something is missing in it. But what...?
Here is it below, it has the "Basic Constraint" set with CA:TRUE... What else is required, so that FreeIPA accepts it as a root CA? Should I add it somewhere first, before running the ipa-server-install?
[root@ipa ~]# openssl x509 -text -noout -in /root/rootca/rootcacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha256WithRSAEncryption Issuer: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA Validity Not Before: Oct 24 11:43:13 2018 GMT Not After : Oct 21 11:43:13 2028 GMT Subject: C=DE, L=Bonn, O=COMPANY, OU=PRJ, CN=RootCA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: <...skipped...> Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81 X509v3 Authority Key Identifier: keyid:B3:18:3B:CF:29:D2:A5:D4:AE:94:A5:42:65:A2:D8:12:7C:92:78:81
X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption <...skipped...>
Thanks!!
Sorry, I've figured it out myself... The problem was not with the Root CA certificate, the reported error is misleading here.
Actually, the problem was with the certificate generated for the FreeIPA itself. It had CA:FALSE, because I forgot to select the right extension profile when signing it with my openssl "pseudo-CA". I've reissued the certificate for FreeIPA with "CA:TRUE" - and it accepted it.
Can you share the commands you followed. I am facing the same issues
freeipa-users@lists.fedorahosted.org