Greetings,
During installation process I used following pki_override.cfg file
[DEFAULT] pki_admin_key_algorithm=SHA512withRSA pki_admin_key_size=8192 pki_audit_signing_key_algorithm=SHA512withRSA pki_audit_signing_key_size=8192 pki_audit_signing_key_type=rsa pki_audit_signing_signing_algorithm=SHA512withRSA pki_ssl_server_key_algorithm=SHA512withRSA pki_ssl_server_key_size=8192 pki_sslserver_signing_algorithm=SHA512withRSA pki_subsystem_key_algorithm=SHA512withRSA pki_subsystem_signing_algorithm=SHA512withRSA pki_subsystem_key_size=8192 [CA] pki_ca_signing_key_size=8192 pki_ca_signing_key_algorithm=SHA512withRSA pki_ca_signing_signing_algorithm=SHA512withRSA pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=8192 pki_ocsp_signing_signing_algorithm=SHA512withRSA [KRA] pki_storage_key_algorithm=SHA512withRSA pki_storage_key_size=8192 pki_storage_signing_algorithm=SHA512withRSA pki_transport_key_algorithm=SHA512withRSA pki_transport_key_size=8192 pki_transport_signing_algorithm=SHA512withRSA [OCSP] pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=8192 pki_ocsp_signing_signing_algorithm=SHA512hRSA
This lead to the following error when I'm trying to add subCA
Request failed with status 400: Non-2xx response from CA REST API: 400. Failed to issue CA certificate. Final status: rejected. Additional info: Key Parameters 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched
By default we have three certificate profiles caIPAserviceCert, KDCs_PKINIT_Certs, IECUserRoles but changing them does not fix this error. Could you please tell me where I can find a subCA certificate template?
Regards, Alex Ivanov.
Алексей Иванов via FreeIPA-users wrote:
Greetings,
During installation process I used following pki_override.cfg file
[DEFAULT] pki_admin_key_algorithm=SHA512withRSA pki_admin_key_size=8192 pki_audit_signing_key_algorithm=SHA512withRSA pki_audit_signing_key_size=8192 pki_audit_signing_key_type=rsa pki_audit_signing_signing_algorithm=SHA512withRSA pki_ssl_server_key_algorithm=SHA512withRSA pki_ssl_server_key_size=8192 pki_sslserver_signing_algorithm=SHA512withRSA pki_subsystem_key_algorithm=SHA512withRSA pki_subsystem_signing_algorithm=SHA512withRSA pki_subsystem_key_size=8192 [CA] pki_ca_signing_key_size=8192 pki_ca_signing_key_algorithm=SHA512withRSA pki_ca_signing_signing_algorithm=SHA512withRSA pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=8192 pki_ocsp_signing_signing_algorithm=SHA512withRSA [KRA] pki_storage_key_algorithm=SHA512withRSA pki_storage_key_size=8192 pki_storage_signing_algorithm=SHA512withRSA pki_transport_key_algorithm=SHA512withRSA pki_transport_key_size=8192 pki_transport_signing_algorithm=SHA512withRSA [OCSP] pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=8192 pki_ocsp_signing_signing_algorithm=SHA512hRSA
This lead to the following error when I'm trying to add subCA
Request failed with status 400: Non-2xx response from CA REST API: 400. Failed to issue CA certificate. Final status: rejected. Additional info: Key Parameters 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched
By default we have three certificate profiles caIPAserviceCert, KDCs_PKINIT_Certs, IECUserRoles but changing them does not fix this error. Could you please tell me where I can find a subCA certificate template?
Look in /var/log/pki/pki-tomcat/ca/debug-<date> and it should tell you the profile it used.
At one point subCA keys were hardcoded at 2048. I don't know if that is still the case.
8k keys everywhere are going to tank performance, particularly the 8k server-cert key.
rob
Hello people,
I wonder if there are configurations with disa stig on rhel8 that are known to be incompatible with ipa server. I have been testing fresh installation on hardened OS and run into problems. Installer nicely informs about too tight umask and after correcting that, everything is completed without problems. Adding first user is successful but login to ipa server with it fails, /var/log/secure reports errors about unknown user. Since this might be just the first problem to solve with hardening, I was hoping there would be information available about using stig with ipa. My googlefoo didnt bring good results so any help is appreciated.
Br, Risto
On Fri, Mar 3, 2023, 15:16 Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Алексей Иванов via FreeIPA-users wrote:
Greetings,
During installation process I used following pki_override.cfg file
[DEFAULT] pki_admin_key_algorithm=SHA512withRSA pki_admin_key_size=8192 pki_audit_signing_key_algorithm=SHA512withRSA pki_audit_signing_key_size=8192 pki_audit_signing_key_type=rsa pki_audit_signing_signing_algorithm=SHA512withRSA pki_ssl_server_key_algorithm=SHA512withRSA pki_ssl_server_key_size=8192 pki_sslserver_signing_algorithm=SHA512withRSA pki_subsystem_key_algorithm=SHA512withRSA pki_subsystem_signing_algorithm=SHA512withRSA pki_subsystem_key_size=8192 [CA] pki_ca_signing_key_size=8192 pki_ca_signing_key_algorithm=SHA512withRSA pki_ca_signing_signing_algorithm=SHA512withRSA pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=8192 pki_ocsp_signing_signing_algorithm=SHA512withRSA [KRA] pki_storage_key_algorithm=SHA512withRSA pki_storage_key_size=8192 pki_storage_signing_algorithm=SHA512withRSA pki_transport_key_algorithm=SHA512withRSA pki_transport_key_size=8192 pki_transport_signing_algorithm=SHA512withRSA [OCSP] pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=8192 pki_ocsp_signing_signing_algorithm=SHA512hRSA
This lead to the following error when I'm trying to add subCA
Request failed with status 400: Non-2xx response from CA REST API: 400. Failed to issue CA certificate. Final status: rejected. Additional info: Key Parameters 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched
By default we have three certificate profiles caIPAserviceCert, KDCs_PKINIT_Certs, IECUserRoles but changing them does not fix this error. Could you please tell me where I can find a subCA certificate template?
Look in /var/log/pki/pki-tomcat/ca/debug-<date> and it should tell you the profile it used.
At one point subCA keys were hardcoded at 2048. I don't know if that is still the case.
8k keys everywhere are going to tank performance, particularly the 8k server-cert key.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Greetings,
I found the following error in the log you've told
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: - req_seq_num: 0 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: - profilesetid: caCertSet 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: - req_authority_id: 80a77871-f53d-4154-ad3f-9b669ca9791f 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: - req_subject_name.uid: 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: - auth_token.authmanagerid: certUserDBAuthMgr 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: - requesttype: enrollment 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: - req_extensions: owIwAA==
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: - req_subject_name: MA8xDTALBgNVBAMMBHRlc3Q=
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: Submitting certificate request to caCACert profile 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: LDAPSession: Adding LDAP entry cn=32,ou=ca, ou=requests,o=ipaca 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: KeyConstraint: Key algorithnm: RSA 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: KeyConstraint: Key type: - 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] WARNING: Certificate request rejected: Key Parameters 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched Key Parameters 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched at com.netscape.cms.profile.constraint.KeyConstraint.validate(KeyConstraint.java:198) at com.netscape.cms.profile.constraint.EnrollConstraint.validate(EnrollConstraint.java:172) at com.netscape.cms.profile.common.Profile.validate(Profile.java:1309) at com.netscape.cms.profile.common.EnrollProfile.validate(EnrollProfile.java:2767) at com.netscape.cms.profile.common.EnrollProfile.submit(EnrollProfile.java:731) at com.netscape.cms.servlet.cert.CertProcessor.submitRequests(CertProcessor.java:253) at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:207) at com.netscape.ca.CertificateAuthority.generateSigningCert(CertificateAuthority.java:1941) at org.dogtagpki.server.ca.CAEngine.createCA(CAEngine.java:1064) at org.dogtagpki.server.ca.CAEngine.createCA(CAEngine.java:1118) at org.dogtagpki.server.ca.rest.AuthorityService.createCA(AuthorityService.java:268) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:221) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:660) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:359) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:889) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:833)
[root@mdc-ipa-2 ca]# ipa certprofile-find caCertSet ------------------ 0 profiles matched ------------------ ---------------------------- Number of entries returned 0 ---------------------------- [root@mdc-ipa-2 ca]# find / -name *caCertSet* find: ‘/proc/28227/task/28227/net’: Invalid argument find: ‘/proc/28227/net’: Invalid argument find: ‘/proc/28231/task/28231/net’: Invalid argument find: ‘/proc/28231/net’: Invalid argument find: ‘/proc/32516/task/32516/net’: Invalid argument find: ‘/proc/32516/net’: Invalid argument find: ‘/proc/32520/task/32520/net’: Invalid argument find: ‘/proc/32520/net’: Invalid argument find: ‘/proc/33513/task/33513/net’: Invalid argument find: ‘/proc/33513/net’: Invalid argument [root@mdc-ipa-2 ca]# ipa certprofile-find ------------------ 5 profiles matched ------------------ Profile ID: acmeIPAServerCert Profile description: ACME IPA service certificate profile Store issued certificates: False
Profile ID: caIPAserviceCert Profile description: Standard profile for network services Store issued certificates: True
Profile ID: IECUserRoles Profile description: User profile that includes IECUserRoles extension from request Store issued certificates: True
Profile ID: KDCs_PKINIT_Certs Profile description: Profile for PKINIT support by KDCs Store issued certificates: False
Profile ID: server Profile description: Default server certificate Store issued certificates: True ---------------------------- Number of entries returned 5 ---------------------------- [root@mdc-ipa-2 ca]#
Any idea where to find caCertSet profile?
Regards, Alex Ivanov.
On Fri, Mar 3, 2023 at 4:16 PM Rob Crittenden rcritten@redhat.com wrote:
Алексей Иванов via FreeIPA-users wrote:
Greetings,
During installation process I used following pki_override.cfg file
[DEFAULT] pki_admin_key_algorithm=SHA512withRSA pki_admin_key_size=8192 pki_audit_signing_key_algorithm=SHA512withRSA pki_audit_signing_key_size=8192 pki_audit_signing_key_type=rsa pki_audit_signing_signing_algorithm=SHA512withRSA pki_ssl_server_key_algorithm=SHA512withRSA pki_ssl_server_key_size=8192 pki_sslserver_signing_algorithm=SHA512withRSA pki_subsystem_key_algorithm=SHA512withRSA pki_subsystem_signing_algorithm=SHA512withRSA pki_subsystem_key_size=8192 [CA] pki_ca_signing_key_size=8192 pki_ca_signing_key_algorithm=SHA512withRSA pki_ca_signing_signing_algorithm=SHA512withRSA pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=8192 pki_ocsp_signing_signing_algorithm=SHA512withRSA [KRA] pki_storage_key_algorithm=SHA512withRSA pki_storage_key_size=8192 pki_storage_signing_algorithm=SHA512withRSA pki_transport_key_algorithm=SHA512withRSA pki_transport_key_size=8192 pki_transport_signing_algorithm=SHA512withRSA [OCSP] pki_ocsp_signing_key_algorithm=SHA512withRSA pki_ocsp_signing_key_size=8192 pki_ocsp_signing_signing_algorithm=SHA512hRSA
This lead to the following error when I'm trying to add subCA
Request failed with status 400: Non-2xx response from CA REST API: 400. Failed to issue CA certificate. Final status: rejected. Additional info: Key Parameters 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched
By default we have three certificate profiles caIPAserviceCert, KDCs_PKINIT_Certs, IECUserRoles but changing them does not fix this error. Could you please tell me where I can find a subCA certificate template?
Look in /var/log/pki/pki-tomcat/ca/debug-<date> and it should tell you the profile it used.
At one point subCA keys were hardcoded at 2048. I don't know if that is still the case.
8k keys everywhere are going to tank performance, particularly the 8k server-cert key.
rob
Алексей Иванов wrote:
Greetings,
I found the following error in the log you've told
The profile used is in this message:
INFO: CertProcessor: Submitting certificate request to caCACert profile
Profiles on disk are not used. The CA uses those stored in LDAP. You're looking for:
dn: cn=caCACert,ou=certificateProfiles,ou=ca,o=ipaca
rob
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor:
- req_seq_num: 0
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor:
- profilesetid: caCertSet
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor:
- req_authority_id: 80a77871-f53d-4154-ad3f-9b669ca9791f
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor:
- req_subject_name.uid:
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor:
- auth_token.authmanagerid: certUserDBAuthMgr
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor:
- requesttype: enrollment
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor:
- req_extensions: owIwAA==
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor:
- req_subject_name: MA8xDTALBgNVBAMMBHRlc3Q=
2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: CertProcessor: Submitting certificate request to caCACert profile 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: LDAPSession: Adding LDAP entry cn=32,ou=ca, ou=requests,o=ipaca 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: KeyConstraint: Key algorithnm: RSA 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] INFO: KeyConstraint: Key type: - 2023-03-07 13:10:09 [ajp-nio-127.0.0.1-8009-exec-6] WARNING: Certificate request rejected: Key Parameters 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched Key Parameters 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched at com.netscape.cms.profile.constraint.KeyConstraint.validate(KeyConstraint.java:198) at com.netscape.cms.profile.constraint.EnrollConstraint.validate(EnrollConstraint.java:172) at com.netscape.cms.profile.common.Profile.validate(Profile.java:1309) at com.netscape.cms.profile.common.EnrollProfile.validate(EnrollProfile.java:2767) at com.netscape.cms.profile.common.EnrollProfile.submit(EnrollProfile.java:731) at com.netscape.cms.servlet.cert.CertProcessor.submitRequests(CertProcessor.java:253) at com.netscape.cms.servlet.cert.EnrollmentProcessor.processEnrollment(EnrollmentProcessor.java:207) at com.netscape.ca.CertificateAuthority.generateSigningCert(CertificateAuthority.java:1941) at org.dogtagpki.server.ca.CAEngine.createCA(CAEngine.java:1064) at org.dogtagpki.server.ca.CAEngine.createCA(CAEngine.java:1118) at org.dogtagpki.server.ca.rest.AuthorityService.createCA(AuthorityService.java:268) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:221) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUtil.java:280) at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:187) at org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(ApplicationFilterChain.java:145) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:143) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:660) at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:83) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:359) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:433) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:889) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:833)
[root@mdc-ipa-2 ca]# ipa certprofile-find caCertSet
0 profiles matched
Number of entries returned 0
[root@mdc-ipa-2 ca]# find / -name *caCertSet* find: ‘/proc/28227/task/28227/net’: Invalid argument find: ‘/proc/28227/net’: Invalid argument find: ‘/proc/28231/task/28231/net’: Invalid argument find: ‘/proc/28231/net’: Invalid argument find: ‘/proc/32516/task/32516/net’: Invalid argument find: ‘/proc/32516/net’: Invalid argument find: ‘/proc/32520/task/32520/net’: Invalid argument find: ‘/proc/32520/net’: Invalid argument find: ‘/proc/33513/task/33513/net’: Invalid argument find: ‘/proc/33513/net’: Invalid argument [root@mdc-ipa-2 ca]# ipa certprofile-find
5 profiles matched
Profile ID: acmeIPAServerCert Profile description: ACME IPA service certificate profile Store issued certificates: False
Profile ID: caIPAserviceCert Profile description: Standard profile for network services Store issued certificates: True
Profile ID: IECUserRoles Profile description: User profile that includes IECUserRoles extension from request Store issued certificates: True
Profile ID: KDCs_PKINIT_Certs Profile description: Profile for PKINIT support by KDCs Store issued certificates: False
Profile ID: server Profile description: Default server certificate Store issued certificates: True
Number of entries returned 5
[root@mdc-ipa-2 ca]#
Any idea where to find caCertSet profile?
Regards, Alex Ivanov.
On Fri, Mar 3, 2023 at 4:16 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Алексей Иванов via FreeIPA-users wrote: > Greetings, > > During installation process I used following pki_override.cfg file > > [DEFAULT] > pki_admin_key_algorithm=SHA512withRSA > pki_admin_key_size=8192 > pki_audit_signing_key_algorithm=SHA512withRSA > pki_audit_signing_key_size=8192 > pki_audit_signing_key_type=rsa > pki_audit_signing_signing_algorithm=SHA512withRSA > pki_ssl_server_key_algorithm=SHA512withRSA > pki_ssl_server_key_size=8192 > pki_sslserver_signing_algorithm=SHA512withRSA > pki_subsystem_key_algorithm=SHA512withRSA > pki_subsystem_signing_algorithm=SHA512withRSA > pki_subsystem_key_size=8192 > [CA] > pki_ca_signing_key_size=8192 > pki_ca_signing_key_algorithm=SHA512withRSA > pki_ca_signing_signing_algorithm=SHA512withRSA > pki_ocsp_signing_key_algorithm=SHA512withRSA > pki_ocsp_signing_key_size=8192 > pki_ocsp_signing_signing_algorithm=SHA512withRSA > [KRA] > pki_storage_key_algorithm=SHA512withRSA > pki_storage_key_size=8192 > pki_storage_signing_algorithm=SHA512withRSA > pki_transport_key_algorithm=SHA512withRSA > pki_transport_key_size=8192 > pki_transport_signing_algorithm=SHA512withRSA > [OCSP] > pki_ocsp_signing_key_algorithm=SHA512withRSA > pki_ocsp_signing_key_size=8192 > pki_ocsp_signing_signing_algorithm=SHA512hRSA > > This lead to the following error when I'm trying to add subCA > > Request failed with status 400: Non-2xx response from CA REST API: 400. > Failed to issue CA certificate. Final status: rejected. Additional info: > Key Parameters 1024,2048,3072,4096,nistp256,nistp384,nistp521 Not Matched > > By default we have three certificate profiles caIPAserviceCert, > KDCs_PKINIT_Certs, IECUserRoles but changing them does not fix this > error. Could you please tell me where I can find a subCA certificate > template? Look in /var/log/pki/pki-tomcat/ca/debug-<date> and it should tell you the profile it used. At one point subCA keys were hardcoded at 2048. I don't know if that is still the case. 8k keys everywhere are going to tank performance, particularly the 8k server-cert key. rob
freeipa-users@lists.fedorahosted.org