On Thu, 2 Jan 2020, Florence Blanc-Renaud wrote:
On 1/2/20 7:24 AM, Rob Foehl via FreeIPA-users wrote:
> Went to renew an externally-signed IPA CA certificate that was valid
> through today, and discovered that FreeIPA had decided to renew it with a
> self-signed cert a month ago, and had since reissued all other subsystem
> certs against that self-signed CA.
That is surprising, maybe there was a tracking request that triggered
the
renewal to self-signed. Can you check now if the self-signed CA is tracked?
(It should not)
There's one like this, which presumably was the case a month ago when the
self-signed CA was generated:
Request ID '20190325054235':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: <external CA>
subject: <IPA CA>
expires: 2022-12-31 17:47:12 EST
key usage: keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
This system has never (intentionally) used a self-signed CA, initial
install was with the older external CA. This system was (re)installed as
a replica about a year ago, and last upgrade attempt was on 20190325.
> There's also a chicken-and-egg problem with trying to renew
anything, in
> that all new requests are signed with the self-signed IPA CA instead of
> the new intermediate IPA CA.
As far as I understand, the private key of IPA CA does not change
even when
the CA is renewed from self-signed to externally-signed (or the reverse), and
this means that the same key is used to issue the IPA certs. In that case,
there is no difference if a cert was signed with the old or the new CA cert.
The unchanging private key is its own issue, but this is the reason why I
didn't notice this a month earlier and haven't had more trouble since.
What makes you think that the new requests are signed with the
self-signed
IPA CA?
Certificate lifetimes aren't bound to the new intermediate IPA CA.
Do you have any issue when you try to renew other certs?
I can't renew any of them against the proper CA, nor are correct chains
returned to clients. The question remains: how do I get rid of the
self-signed CA entirely?
-Rob