The profile: it literally was the caUserCert.cfg profile with a few minor changes:
Removed rsa 1024 key length and removed MD5 encryption algorithms.
Command sequence:
Add the modified profile: ipa certprofile-import caUserCert --file caUserCert_mod.cfg
--store TRUE --desc "User certificate used for authentication"
Create a dpatte.conf file has the exact same entries like your instructions Requested a
key and csr file: openssl req -new -key key.pem -out dpatte.csr -config dpatte.conf ipa
cert-request dpatte.csr --principal dpatte --profile-id caUserCert
Result: "Subject Name Not Found"
The debug log shows a trace of a java error. Just a guess on my part, but I suspect that
the caUserCert profile requires three inputs one of which is subjectNameinputImpl. I
suspect what I'm providing isn't what is required hence the first line of the java
trace in debug file: "at
com.netscape.cms.profile.input.SubjectNameInput.populate(SubjectNameInput.java:269)"
I've followed your blog post using caIPAserviceCert.cfg making modifications to some
defaults/constraints (like above) and it works. Now my ssh keys don't work to permit
access to systems. Can I have both a cert and ssh keys? When I have a cert, ssh logs say
your sshkey has been rejected by the server. When I remove the cert, sshkey is accepted.
Thanks for the insight and help!
David Patterson
-----Original Message-----
From: Fraser Tweedale <ftweedal(a)redhat.com>
Sent: Sunday, July 07, 2019 11:55 PM
To: Patterson, David <dpatte(a)sandia.gov>
Subject: [EXTERNAL] Re: caUserCert
On Wed, Jul 03, 2019 at 08:42:41PM +0000, Patterson, David wrote:
Hello,
I followed your blog post from 8-6-2015 about User Certificates and
Custom Profiles with FreeIPA 4.2 to attempt to create user
certificates. I'm trying to use the caUserCert template, instead of
the caIPAserviceCert template.
I've tried variations on different CN=, even modified my ldap entry to
change my CN to dpatte, but always this error. ipa:
ERROR: Request failed with status 500: Non-2xx response from CA REST
API: 500. Subject Name Not Found
I've done a bunch of googling to see what this error means, but
never found an answer. Can you shed some light?
Thanks!
David Patterson
Sandia National Laboratories
Hi David,
Sorry for belated reply; I was on vacation last week.
The "outer" part of the error comes from the FreeIPA server when an backend HTTP
request to the Dogtag CA fails. The "inner" part ("Subject Name Not
Found") is used by several Dogtag profile components, and usually indicates that
something went wrong constructing the certificate Subject DN.
Can you please provide more detail: what is the profile configuration, what is the exact
sequence of commands leading to the failure? The debug log from
/var/log/pki/pki-tomcat/ca/ may also shed some light.
Do you want to Cc the public mailing list freeipa-users(a)lists.fedorahosted.org? Then
others besides me could assist (and benefit from the solution). Up to you of course.
Cheers,
Fraser