On Thu, Oct 10, 2019 at 12:09:48PM +0100, lejeczek via FreeIPA-users wrote:
On 01/10/2019 02:21, Fraser Tweedale wrote:
> On Mon, Sep 30, 2019 at 02:04:15PM +0100, lejeczek via FreeIPA-users wrote:
>> On 09/09/2019 01:07, Fraser Tweedale wrote:
>>> On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote:
>>>> hi guys,
>>>>
>>>> how to manage those?
>>>>
>>>> Why are these missing in "standard" IPA installations and how
to get
>>>> them in?
>>>>
>>>> many thanks, L.
>>>>
>>> Do you mean in the IPA CA certificate, or in the end-entity
>>> certificates?
>>>
>>> If the CA certificate, use the --ca-subject option to specify the
>>> full subject DN you desire. Note that you can only do this upon
>>> installation; there is no way to change the subject of the CA after
>>> installation.
>>>
>>> For end-entity certificates, upon installation you can use the
>>> --subject-base option to specify the desired "subject base DN",
to
>>> which the Common Name (CN) will be appended. For existing
>>> installations you can use the 'ipa certprofile-*' commands to
import
>>> or modify profile configurations. You will want to tweak the
>>> configuration of the 'subjectNameDefaultImpl' component to put
>>> include the desired attributes.
>>>
>>> Cheers,
>>> Fraser
>> Does the exactness of the 'subject' matter and if so then to whom?
>>
> It does matter. It is *critical* when renewing a CA certificate
> that the subject not change. On first installation it is not so
> critical, but receiving a certificate with different subject DN from
> the CSR usually indicates a mistake or a likelihood of problems down
> the track, when you need to renew it. So we reject it.
>
>> I got a request signed by an external authority but renewal fails with:
>>
>> $ IPA CA certificate with subject 'C=GB,......' was not found in
./file.crt
>>
>> $ The ipa-cacert-manage command failed.
>>
>> and when I glanced at request and the cert I can see that their subjects
>> differ in such way that order (what do you call it?) is reversed:
>>
>> request - Subject: CN=CCN O=University, L=Some, ST=Something, C=GB
>>
>> cert - C=GB, ST=Something, L=Some, O=University, CN=CCN
>>
>> If this is the problem indeed then how to resolve such problem? Else,
>> what is the problem?
>>
> You have to put in the CSR what you expect to get back. If the
> issuer is reversing the Subject DN attributes... you will never get
> back what you want**. So you should work out what is going on in the
> program that is issuing the certificate; work with your CA admins or
> the CA software configuration to resolve this.
>
> ** unless the Subject DN is a palindrome :D
>
> If you give details about the program used to issue the IPA CA
> certificate, we may be able to assist more.
>
> Cheers,
> Fraser
And it's not possible to skip those checks, for cert's 'subject' ?
It would be possible by editing the code. If Subject DN does not
match expectations, but we accept the certificate anyway, things may
break. (Or maybe not; I am not sure but this is definitely in the
Danger Zone).
p.s. Is it possible to get/extract, from the cert itself, info on
which
program generated a cert?
In general it is not possible. In some cases it is possible to
infer by presense of particular extensions (e.g. Microsoft
Certificate Template extension suggests it was issued by AD-CS) or
other characteristics of the certificate. The Issuer DN and OCSP /
CRL information may provide clues.
But somehow, the certificate is being signed. Someone in your
organisation must know what program is being used and should be able
to assist, or at least tell you what program it is.
Cheers,
Fraser