On Sat, Dec 12, 2020 at 05:49:53PM -0000, Khurrum Maqb via FreeIPA-users wrote:
I got it resolved - IPA does not seem to support importing a
rechained external CA. It doesn't seem to have anything to do with
ipaCertSubject being unique but it's something else where there
are two different chains for the same external CA.
I was able to ldapdelete the old problematic certs from ldap> etc
> ipa > certificates. And then I was able to successfully run the
> ipa-advise script for adding the CA certs. This time
> ipa-cacert-manage worked without throwing the public key info
> mismatch error.
And then I ran ipa-certupdate on all Ipa servers, and clients that
required smartcard auth. And it seemed to work fine for the new
certs. Unfortunately, this likely means that the cards with the
old chain will stop working but they are in the small minority and
we'll likely have to get them new cards signed by the external CA
with the new chain.
I would like to suggest that the ability to rechain and have two
different chains for the same external CA be added to FreeIPA.
It's likely a rare situation but it happens.
Thanks for the report Khurrum. Glad you were able to sort it out.
Rob, Flo: this is old validation code (commit de695e688e, 2014) and
probably an oversight. We should investigate whether anything
breaks when superior certs in the IPA CA chain get rekeyed. If
nothing breaks, we should remove the SubjectPublicKeyInfo check.