I'm currently trying to evaluate if we may use IPA server to help manage our park of Linux Clients When installing the IPA server I used the following commands; sudo ipa-server-install --external-ca --external-ca-type=ms-cs sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer --external-cert-file=/home/$USER/certnew.cer
Now when the CA certificate in Windows expired, I used Certificate Authority Manager to renew the CA certificate. I'm now struggling trying to figure out how to renew the IPA certificate. This is what I've tried; sudo ipa-cacert-manage --external-ca --external-ca-type ms-cs renew
On the Windows server I'm forced to use the certreq command in CLI as the GUI Manager only complains of the CSR being the wrong type. And I'm only having success in using the WebServer template. No other templates works. And I'm assuming the SubordinateCertificationAuthority template is the that should be used?; certreq -submit -attrib CertificateTemplate:WebServer
Back on the IPA server, I try installing the signed certificate; sudo ipa-cacert-manage renew --external-cert-file=./ipa.cer --external-cert-file=./Root-CA.cer
But this only complains on the cert missing som basic constraints. Comparing the CSR generated during the install of the IPA server and the CSR generated with the ipa-cacert-manage renew command, I see that they differ in that the renew CSR is missing the .S.u.b.C.A
Does anyone have any insights into what's missing in the procedure? Thankful for any help that can help me progress on this.
On Няд, 03 вер 2023, John Doe via FreeIPA-users wrote:
I'm currently trying to evaluate if we may use IPA server to help manage our park of Linux Clients When installing the IPA server I used the following commands; sudo ipa-server-install --external-ca --external-ca-type=ms-cs sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer --external-cert-file=/home/$USER/certnew.cer
Now when the CA certificate in Windows expired, I used Certificate Authority Manager to renew the CA certificate. I'm now struggling trying to figure out how to renew the IPA certificate. This is what I've tried; sudo ipa-cacert-manage --external-ca --external-ca-type ms-cs renew
On the Windows server I'm forced to use the certreq command in CLI as the GUI Manager only complains of the CSR being the wrong type. And I'm only having success in using the WebServer template. No other templates works. And I'm assuming the SubordinateCertificationAuthority template is the that should be used?; certreq -submit -attrib CertificateTemplate:WebServer
You want to deploy a CA, not a web server, so you should be using the right subCA template.
Section 7.1 of RHEL IdM documentation for installing IdM tells about it: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
------- In certain scenarios, the Active Directory (AD) administrator can use the Subordinate Certification Authority (SCA) template, which is a built-in template in AD CS, to create a unique template to better suit the needs of the organization. The new template can, for example, have a customized validity period and customized extensions. The associated Object Identifier (OID) can be found in the AD Certificates Template console.
If the AD administrator has disabled the original, built-in template, you must specify the OID or name of the new template when requesting a certificate for your IdM CA. Ask your AD administrator to provide you with the name or OID of the new template.
If the original SCA AD CS template is still enabled, you can use it by specifying --external-ca-type=ms-cs without additionally using the --external-ca-profile option. In this case, the subCA external CA profile is used, which is the default IdM template corresponding to the SCA AD CS template. -------
So most likely your SCA AD CS template got disabled by the admin?
Back on the IPA server, I try installing the signed certificate; sudo ipa-cacert-manage renew --external-cert-file=./ipa.cer --external-cert-file=./Root-CA.cer
But this only complains on the cert missing som basic constraints. Comparing the CSR generated during the install of the IPA server and the CSR generated with the ipa-cacert-manage renew command, I see that they differ in that the renew CSR is missing the .S.u.b.C.A
Does anyone have any insights into what's missing in the procedure?
Check configuration of your AD CS setup, may be built-in template for subCA is disabled and not available anymore.
Thank you so much for your support. Your comments set me on the right track. Namely that the problem wasn't on the IPA side but on the Windows side. The name of the template is 'SubCA' and with the following command, I was able to get the CSR signed; certreq -submit -attrib CertificateTemplate:SubCA
I could then get the cert installed into the IPA using; sudo ipa-cacert-manage renew --external-cert-file=./ipa.cer --external-cert-file=./Root-CA.cer
The main problem here is that the CA certificate expired before I renewed it. That's by intent as I wanna try out the steps needed to remedy a situation as that as well as what to do when you renew the cert before it expires.
Although it looks like the renewed cert has gotten installed, I'm still not able to login using the GUI;
[jdoe@lab002 ~]$ ipa find user ipa: ERROR: cannot connect to 'https://lab002.labnet.org/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED ] certificate verify failed: certificate has expired (_ssl.c:1129) [jdoe@lab002 ~]$
I tried running the following, it was successful, but the problem still persists; [jdoe@lab002 ~]$ sudo ipa-cert-fix The ipa-cert-fix command was successful [jdoe@lab002 ~]$ [jdoe@lab002 ~]$ sudo ipa-getcert list|egrep "status|subject|expires|stuck" status: CA_UNREACHABLE stuck: no subject: CN=lab002.labnet.org,O=IPA.LABNET.ORG expires: 2023-10-20 08:12:29 CEST status: CA_UNREACHABLE stuck: no subject: CN=lab002.labnet.org,O=IPA.LABNET.ORG expires: 2023-10-20 08:12:29 CEST status: CA_UNREACHABLE stuck: no subject: CN=lab002.labnet.org,O=IPA.LABNET.ORG expires: 2023-10-20 08:12:29 CEST [jdoe@lab002 ~]$
What am I missing or doing wrong?
Den mån 4 sep. 2023 kl 08:27 skrev Alexander Bokovoy abokovoy@redhat.com:
On Няд, 03 вер 2023, John Doe via FreeIPA-users wrote:
I'm currently trying to evaluate if we may use IPA server to help manage
our park of Linux Clients
When installing the IPA server I used the following commands; sudo ipa-server-install --external-ca --external-ca-type=ms-cs sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer
--external-cert-file=/home/$USER/certnew.cer
Now when the CA certificate in Windows expired, I used Certificate
Authority Manager to renew the CA certificate.
I'm now struggling trying to figure out how to renew the IPA certificate.
This is what I've tried;
sudo ipa-cacert-manage --external-ca --external-ca-type ms-cs renew
On the Windows server I'm forced to use the certreq command in CLI as the
GUI Manager only complains of the CSR being the wrong type.
And I'm only having success in using the WebServer template. No other
templates works. And I'm assuming the SubordinateCertificationAuthority template is the
that should be used?; certreq -submit -attrib CertificateTemplate:WebServer
You want to deploy a CA, not a web server, so you should be using the right subCA template.
Section 7.1 of RHEL IdM documentation for installing IdM tells about it:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
In certain scenarios, the Active Directory (AD) administrator can use the Subordinate Certification Authority (SCA) template, which is a built-in template in AD CS, to create a unique template to better suit the needs of the organization. The new template can, for example, have a customized validity period and customized extensions. The associated Object Identifier (OID) can be found in the AD Certificates Template console.
If the AD administrator has disabled the original, built-in template, you must specify the OID or name of the new template when requesting a certificate for your IdM CA. Ask your AD administrator to provide you with the name or OID of the new template.
If the original SCA AD CS template is still enabled, you can use it by specifying --external-ca-type=ms-cs without additionally using the --external-ca-profile option. In this case, the subCA external CA profile is used, which is the default IdM template corresponding to the SCA AD CS template.
So most likely your SCA AD CS template got disabled by the admin?
Back on the IPA server, I try installing the signed certificate; sudo ipa-cacert-manage renew --external-cert-file=./ipa.cer
--external-cert-file=./Root-CA.cer
But this only complains on the cert missing som basic constraints. Comparing the CSR generated during the install of the IPA server and the
CSR generated with the ipa-cacert-manage renew command,
I see that they differ in that the renew CSR is missing the .S.u.b.C.A
Does anyone have any insights into what's missing in the procedure?
Check configuration of your AD CS setup, may be built-in template for subCA is disabled and not available anymore.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
John Doe via FreeIPA-users wrote:
Thank you so much for your support. Your comments set me on the right track. Namely that the problem wasn't on the IPA side but on the Windows side. The name of the template is 'SubCA' and with the following command, I was able to get the CSR signed; certreq -submit -attrib CertificateTemplate:SubCA
I could then get the cert installed into the IPA using; sudo ipa-cacert-manage renew --external-cert-file=./ipa.cer --external-cert-file=./Root-CA.cer
This updates the CA itself with its new certificate but it doesn't update the CA trust on the server nor any clients. You have to run ipa-certupdate everywhere to do that. Of course it requires TLS to run so you're in a bit of pickle because all the other certs are also expired.
The main problem here is that the CA certificate expired before I renewed it. That's by intent as I wanna try out the steps needed to remedy a situation as that as well as what to do when you renew the cert before it expires.
It depends. When a CA expires so does all of the certificates it issued (or they should). So literally no certs are valid. You'd have to re-issue the world. Which is hard because your CA won't start because all but its own certificate is expired.
Although it looks like the renewed cert has gotten installed, I'm still not able to login using the GUI;
[jdoe@lab002 ~]$ ipa find user ipa: ERROR: cannot connect to 'https://lab002.labnet.org/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED ] certificate verify failed: certificate has expired (_ssl.c:1129) [jdoe@lab002 ~]$
I tried running the following, it was successful, but the problem still persists; [jdoe@lab002 ~]$ sudo ipa-cert-fix The ipa-cert-fix command was successful [jdoe@lab002 ~]$ [jdoe@lab002 ~]$ sudo ipa-getcert list|egrep "status|subject|expires|stuck" status: CA_UNREACHABLE stuck: no subject: CN=lab002.labnet.org http://lab002.labnet.org,O=IPA.LABNET.ORG http://IPA.LABNET.ORG expires: 2023-10-20 08:12:29 CEST status: CA_UNREACHABLE stuck: no subject: CN=lab002.labnet.org http://lab002.labnet.org,O=IPA.LABNET.ORG http://IPA.LABNET.ORG expires: 2023-10-20 08:12:29 CEST status: CA_UNREACHABLE stuck: no subject: CN=lab002.labnet.org http://lab002.labnet.org,O=IPA.LABNET.ORG http://IPA.LABNET.ORG expires: 2023-10-20 08:12:29 CEST [jdoe@lab002 ~]$
Can I ask why it's October? I assume you're twiddling with time?
What am I missing or doing wrong?
Don't let things expire and you'll avoid a whole ton of headache.
IPA/certmonger will not warn you of impending doom of expired certificates (beyond perhaps log messages). ipa-healthcheck will to some degree if you run it an examine the results.
rob
Den mån 4 sep. 2023 kl 08:27 skrev Alexander Bokovoy <abokovoy@redhat.com mailto:abokovoy@redhat.com>:
On Няд, 03 вер 2023, John Doe via FreeIPA-users wrote: >I'm currently trying to evaluate if we may use IPA server to help manage our park of Linux Clients >When installing the IPA server I used the following commands; >sudo ipa-server-install --external-ca --external-ca-type=ms-cs >sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer --external-cert-file=/home/$USER/certnew.cer > >Now when the CA certificate in Windows expired, I used Certificate Authority Manager to renew the CA certificate. >I'm now struggling trying to figure out how to renew the IPA certificate. This is what I've tried; >sudo ipa-cacert-manage --external-ca --external-ca-type ms-cs renew > >On the Windows server I'm forced to use the certreq command in CLI as the GUI Manager only complains of the CSR being the wrong type. >And I'm only having success in using the WebServer template. No other templates works. And I'm assuming the SubordinateCertificationAuthority template is the >that should be used?; >certreq -submit -attrib CertificateTemplate:WebServer You want to deploy a CA, not a web server, so you should be using the right subCA template. Section 7.1 of RHEL IdM documentation for installing IdM tells about it: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/assembly_installing-an-ipa-server-without-dns-with-external-ca_installing-identity-management ------- In certain scenarios, the Active Directory (AD) administrator can use the Subordinate Certification Authority (SCA) template, which is a built-in template in AD CS, to create a unique template to better suit the needs of the organization. The new template can, for example, have a customized validity period and customized extensions. The associated Object Identifier (OID) can be found in the AD Certificates Template console. If the AD administrator has disabled the original, built-in template, you must specify the OID or name of the new template when requesting a certificate for your IdM CA. Ask your AD administrator to provide you with the name or OID of the new template. If the original SCA AD CS template is still enabled, you can use it by specifying --external-ca-type=ms-cs without additionally using the --external-ca-profile option. In this case, the subCA external CA profile is used, which is the default IdM template corresponding to the SCA AD CS template. ------- So most likely your SCA AD CS template got disabled by the admin? > >Back on the IPA server, I try installing the signed certificate; >sudo ipa-cacert-manage renew --external-cert-file=./ipa.cer --external-cert-file=./Root-CA.cer > >But this only complains on the cert missing som basic constraints. >Comparing the CSR generated during the install of the IPA server and the CSR generated with the ipa-cacert-manage renew command, >I see that they differ in that the renew CSR is missing the .S.u.b.C.A > >Does anyone have any insights into what's missing in the procedure? Check configuration of your AD CS setup, may be built-in template for subCA is disabled and not available anymore. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Thaks a million Rob. Your comments are highly appreciated. Please see my answers below.
Den tis 19 sep. 2023 kl 20:52 skrev Rob Crittenden rcritten@redhat.com:
John Doe via FreeIPA-users wrote:
Thank you so much for your support. Your comments set me on the right track. Namely that the problem wasn't on the IPA side but on the Windows side. The name of the template is 'SubCA' and with the following command, I was able to get the CSR signed; certreq -submit -attrib CertificateTemplate:SubCA
I could then get the cert installed into the IPA using; sudo ipa-cacert-manage renew --external-cert-file=./ipa.cer --external-cert-file=./Root-CA.cer
This updates the CA itself with its new certificate but it doesn't update the CA trust on the server nor any clients. You have to run ipa-certupdate everywhere to do that. Of course it requires TLS to run so you're in a bit of pickle because all the other certs are also expired.
Yes I figured as much :)
The main problem here is that the CA certificate expired before I renewed it. That's by intent as I wanna try out the steps needed to remedy a situation as that as well as what to do when you renew the cert before it expires.
It depends. When a CA expires so does all of the certificates it issued (or they should). So literally no certs are valid. You'd have to re-issue the world. Which is hard because your CA won't start because all but its own certificate is expired.
So is it a question of reinstalling or is there some way to get completely new certs in there for everything?
Although it looks like the renewed cert has gotten installed, I'm still
not able to login using the GUI;
[jdoe@lab002 ~]$ ipa find user ipa: ERROR: cannot connect to 'https://lab002.labnet.org/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED ] certificate verify failed: certificate has expired (_ssl.c:1129) [jdoe@lab002 ~]$
I tried running the following, it was successful, but the problem still persists; [jdoe@lab002 ~]$ sudo ipa-cert-fix The ipa-cert-fix command was successful [jdoe@lab002 ~]$ [jdoe@lab002 ~]$ sudo ipa-getcert list|egrep
"status|subject|expires|stuck"
status: CA_UNREACHABLE stuck: no subject: CN=lab002.labnet.org
http://lab002.labnet.org,O=IPA.LABNET.ORG http://IPA.LABNET.ORG expires: 2023-10-20 08:12:29 CEST status: CA_UNREACHABLE stuck: no subject: CN=lab002.labnet.org http://lab002.labnet.org,O=IPA.LABNET.ORG http://IPA.LABNET.ORG expires: 2023-10-20 08:12:29 CEST status: CA_UNREACHABLE stuck: no subject: CN=lab002.labnet.org http://lab002.labnet.org,O=IPA.LABNET.ORG http://IPA.LABNET.ORG expires: 2023-10-20 08:12:29 CEST [jdoe@lab002 ~]$
Can I ask why it's October? I assume you're twiddling with time?
Yes I have a very short lifetime for the CA cert, for I want to fiddle around with the various scenarios of renewing and expiring certs.
What am I missing or doing wrong?
Don't let things expire and you'll avoid a whole ton of headache.
IPA/certmonger will not warn you of impending doom of expired certificates (beyond perhaps log messages). ipa-healthcheck will to some degree if you run it an examine the results.
Yes, that's for certain. Normally I setup our monitoring solution to check all certs as well, and warn about expiring certs 90 days ahead. This setup I'm currently fiddling with is a complete test just for learning/testing IPA and how it works with certs. So I want to know how to remedy the situation when a cert is about to expire. And also when it has expired. No matter how much monitoring and checks you have at some point someone will just neglect the warnings and we end up in a situation as the one I'm in right now :-)
Best regards!
Den mån 4 sep. 2023 kl 08:27 skrev Alexander Bokovoy <abokovoy@redhat.com mailto:abokovoy@redhat.com>:
On Няд, 03 вер 2023, John Doe via FreeIPA-users wrote: >I'm currently trying to evaluate if we may use IPA server to help manage our park of Linux Clients >When installing the IPA server I used the following commands; >sudo ipa-server-install --external-ca --external-ca-type=ms-cs >sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer --external-cert-file=/home/$USER/certnew.cer > >Now when the CA certificate in Windows expired, I used Certificate Authority Manager to renew the CA certificate. >I'm now struggling trying to figure out how to renew the IPA certificate. This is what I've tried; >sudo ipa-cacert-manage --external-ca --external-ca-type ms-cs renew > >On the Windows server I'm forced to use the certreq command in CLI as the GUI Manager only complains of the CSR being the wrong type. >And I'm only having success in using the WebServer template. No other templates works. And I'm assuming the SubordinateCertificationAuthority template is the >that should be used?; >certreq -submit -attrib CertificateTemplate:WebServer You want to deploy a CA, not a web server, so you should be using the right subCA template. Section 7.1 of RHEL IdM documentation for installing IdM tells about
it:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
------- In certain scenarios, the Active Directory (AD) administrator can use the Subordinate Certification Authority (SCA) template, which is a built-in template in AD CS, to create a unique template to better
suit
the needs of the organization. The new template can, for example,
have a
customized validity period and customized extensions. The associated Object Identifier (OID) can be found in the AD Certificates Template console. If the AD administrator has disabled the original, built-in template, you must specify the OID or name of the new template when requesting
a
certificate for your IdM CA. Ask your AD administrator to provide you with the name or OID of the new template. If the original SCA AD CS template is still enabled, you can use it
by
specifying --external-ca-type=ms-cs without additionally using the --external-ca-profile option. In this case, the subCA external CA profile is used, which is the default IdM template corresponding to
the
SCA AD CS template. ------- So most likely your SCA AD CS template got disabled by the admin? > >Back on the IPA server, I try installing the signed certificate; >sudo ipa-cacert-manage renew --external-cert-file=./ipa.cer --external-cert-file=./Root-CA.cer > >But this only complains on the cert missing som basic constraints. >Comparing the CSR generated during the install of the IPA server and the CSR generated with the ipa-cacert-manage renew command, >I see that they differ in that the renew CSR is missing the
.S.u.b.C.A
> >Does anyone have any insights into what's missing in the procedure? Check configuration of your AD CS setup, may be built-in template for subCA is disabled and not available anymore. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
freeipa-users@lists.fedorahosted.org