hi guys,
how to manage those?
Why are these missing in "standard" IPA installations and how to get them in?
many thanks, L.
On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote:
hi guys,
how to manage those?
Why are these missing in "standard" IPA installations and how to get them in?
many thanks, L.
Do you mean in the IPA CA certificate, or in the end-entity certificates?
If the CA certificate, use the --ca-subject option to specify the full subject DN you desire. Note that you can only do this upon installation; there is no way to change the subject of the CA after installation.
For end-entity certificates, upon installation you can use the --subject-base option to specify the desired "subject base DN", to which the Common Name (CN) will be appended. For existing installations you can use the 'ipa certprofile-*' commands to import or modify profile configurations. You will want to tweak the configuration of the 'subjectNameDefaultImpl' component to put include the desired attributes.
Cheers, Fraser
On 09/09/2019 01:07, Fraser Tweedale wrote:
On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote:
hi guys,
how to manage those?
Why are these missing in "standard" IPA installations and how to get them in?
many thanks, L.
Do you mean in the IPA CA certificate, or in the end-entity certificates?
If the CA certificate, use the --ca-subject option to specify the full subject DN you desire. Note that you can only do this upon installation; there is no way to change the subject of the CA after installation.
Yes, I learned that bit in the meanwhile, I think on your blog.
Will it ever be possible to change CA's cert after installation at any time?
many thanks, L.
For end-entity certificates, upon installation you can use the --subject-base option to specify the desired "subject base DN", to which the Common Name (CN) will be appended. For existing installations you can use the 'ipa certprofile-*' commands to import or modify profile configurations. You will want to tweak the configuration of the 'subjectNameDefaultImpl' component to put include the desired attributes.
Cheers, Fraser
On Mon, Sep 09, 2019 at 11:12:54AM +0100, lejeczek wrote:
On 09/09/2019 01:07, Fraser Tweedale wrote:
On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote:
hi guys,
how to manage those?
Why are these missing in "standard" IPA installations and how to get them in?
many thanks, L.
Do you mean in the IPA CA certificate, or in the end-entity certificates?
If the CA certificate, use the --ca-subject option to specify the full subject DN you desire. Note that you can only do this upon installation; there is no way to change the subject of the CA after installation.
Yes, I learned that bit in the meanwhile, I think on your blog.
Will it ever be possible to change CA's cert after installation at any time?
If you mean changing the CA's Subject DN, then the short answer is no. The long answer is these blog posts:
- https://frasertweedale.github.io/blog-redhat/posts/2017-11-20-changing-ca-su... - https://frasertweedale.github.io/blog-redhat/posts/2017-11-22-changing-ca-su...
tl;dr it is possible, but risky and unsupported and really, don't do that :)
Cheers, Fraser
many thanks, L.
For end-entity certificates, upon installation you can use the --subject-base option to specify the desired "subject base DN", to which the Common Name (CN) will be appended. For existing installations you can use the 'ipa certprofile-*' commands to import or modify profile configurations. You will want to tweak the configuration of the 'subjectNameDefaultImpl' component to put include the desired attributes.
Cheers, Fraser
On 09/09/2019 01:07, Fraser Tweedale wrote:
On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote:
hi guys,
how to manage those?
Why are these missing in "standard" IPA installations and how to get them in?
many thanks, L.
Do you mean in the IPA CA certificate, or in the end-entity certificates?
If the CA certificate, use the --ca-subject option to specify the full subject DN you desire. Note that you can only do this upon installation; there is no way to change the subject of the CA after installation.
For end-entity certificates, upon installation you can use the --subject-base option to specify the desired "subject base DN", to which the Common Name (CN) will be appended. For existing installations you can use the 'ipa certprofile-*' commands to import or modify profile configurations. You will want to tweak the configuration of the 'subjectNameDefaultImpl' component to put include the desired attributes.
Cheers, Fraser
Does the exactness of the 'subject' matter and if so then to whom?
I got a request signed by an external authority but renewal fails with:
$ IPA CA certificate with subject 'C=GB,......' was not found in ./file.crt
$ The ipa-cacert-manage command failed.
and when I glanced at request and the cert I can see that their subjects differ in such way that order (what do you call it?) is reversed:
request - Subject: CN=CCN O=University, L=Some, ST=Something, C=GB
cert - C=GB, ST=Something, L=Some, O=University, CN=CCN
If this is the problem indeed then how to resolve such problem? Else, what is the problem?
many thanks, L.
On Mon, Sep 30, 2019 at 02:04:15PM +0100, lejeczek via FreeIPA-users wrote:
On 09/09/2019 01:07, Fraser Tweedale wrote:
On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote:
hi guys,
how to manage those?
Why are these missing in "standard" IPA installations and how to get them in?
many thanks, L.
Do you mean in the IPA CA certificate, or in the end-entity certificates?
If the CA certificate, use the --ca-subject option to specify the full subject DN you desire. Note that you can only do this upon installation; there is no way to change the subject of the CA after installation.
For end-entity certificates, upon installation you can use the --subject-base option to specify the desired "subject base DN", to which the Common Name (CN) will be appended. For existing installations you can use the 'ipa certprofile-*' commands to import or modify profile configurations. You will want to tweak the configuration of the 'subjectNameDefaultImpl' component to put include the desired attributes.
Cheers, Fraser
Does the exactness of the 'subject' matter and if so then to whom?
It does matter. It is *critical* when renewing a CA certificate that the subject not change. On first installation it is not so critical, but receiving a certificate with different subject DN from the CSR usually indicates a mistake or a likelihood of problems down the track, when you need to renew it. So we reject it.
I got a request signed by an external authority but renewal fails with:
$ IPA CA certificate with subject 'C=GB,......' was not found in ./file.crt
$ The ipa-cacert-manage command failed.
and when I glanced at request and the cert I can see that their subjects differ in such way that order (what do you call it?) is reversed:
request - Subject: CN=CCN O=University, L=Some, ST=Something, C=GB
cert - C=GB, ST=Something, L=Some, O=University, CN=CCN
If this is the problem indeed then how to resolve such problem? Else, what is the problem?
You have to put in the CSR what you expect to get back. If the issuer is reversing the Subject DN attributes... you will never get back what you want**. So you should work out what is going on in the program that is issuing the certificate; work with your CA admins or the CA software configuration to resolve this.
** unless the Subject DN is a palindrome :D
If you give details about the program used to issue the IPA CA certificate, we may be able to assist more.
Cheers, Fraser
On 01/10/2019 02:21, Fraser Tweedale wrote:
On Mon, Sep 30, 2019 at 02:04:15PM +0100, lejeczek via FreeIPA-users wrote:
On 09/09/2019 01:07, Fraser Tweedale wrote:
On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote:
hi guys,
how to manage those?
Why are these missing in "standard" IPA installations and how to get them in?
many thanks, L.
Do you mean in the IPA CA certificate, or in the end-entity certificates?
If the CA certificate, use the --ca-subject option to specify the full subject DN you desire. Note that you can only do this upon installation; there is no way to change the subject of the CA after installation.
For end-entity certificates, upon installation you can use the --subject-base option to specify the desired "subject base DN", to which the Common Name (CN) will be appended. For existing installations you can use the 'ipa certprofile-*' commands to import or modify profile configurations. You will want to tweak the configuration of the 'subjectNameDefaultImpl' component to put include the desired attributes.
Cheers, Fraser
Does the exactness of the 'subject' matter and if so then to whom?
It does matter. It is *critical* when renewing a CA certificate that the subject not change. On first installation it is not so critical, but receiving a certificate with different subject DN from the CSR usually indicates a mistake or a likelihood of problems down the track, when you need to renew it. So we reject it.
I got a request signed by an external authority but renewal fails with:
$ IPA CA certificate with subject 'C=GB,......' was not found in ./file.crt
$ The ipa-cacert-manage command failed.
and when I glanced at request and the cert I can see that their subjects differ in such way that order (what do you call it?) is reversed:
request - Subject: CN=CCN O=University, L=Some, ST=Something, C=GB
cert - C=GB, ST=Something, L=Some, O=University, CN=CCN
If this is the problem indeed then how to resolve such problem? Else, what is the problem?
You have to put in the CSR what you expect to get back. If the issuer is reversing the Subject DN attributes... you will never get back what you want**. So you should work out what is going on in the program that is issuing the certificate; work with your CA admins or the CA software configuration to resolve this.
** unless the Subject DN is a palindrome :D
If you give details about the program used to issue the IPA CA certificate, we may be able to assist more.
Cheers, Fraser
many thanks Fraser,
what about cert's extensions, if those are "lost"? If CA extension is lots? Does that brake stuff badly? (I fear yes)
thanks, L.
On Tue, Oct 01, 2019 at 09:09:52AM +0100, lejeczek wrote:
On 01/10/2019 02:21, Fraser Tweedale wrote:
On Mon, Sep 30, 2019 at 02:04:15PM +0100, lejeczek via FreeIPA-users wrote:
On 09/09/2019 01:07, Fraser Tweedale wrote:
On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote:
hi guys,
how to manage those?
Why are these missing in "standard" IPA installations and how to get them in?
many thanks, L.
Do you mean in the IPA CA certificate, or in the end-entity certificates?
If the CA certificate, use the --ca-subject option to specify the full subject DN you desire. Note that you can only do this upon installation; there is no way to change the subject of the CA after installation.
For end-entity certificates, upon installation you can use the --subject-base option to specify the desired "subject base DN", to which the Common Name (CN) will be appended. For existing installations you can use the 'ipa certprofile-*' commands to import or modify profile configurations. You will want to tweak the configuration of the 'subjectNameDefaultImpl' component to put include the desired attributes.
Cheers, Fraser
Does the exactness of the 'subject' matter and if so then to whom?
It does matter. It is *critical* when renewing a CA certificate that the subject not change. On first installation it is not so critical, but receiving a certificate with different subject DN from the CSR usually indicates a mistake or a likelihood of problems down the track, when you need to renew it. So we reject it.
I got a request signed by an external authority but renewal fails with:
$ IPA CA certificate with subject 'C=GB,......' was not found in ./file.crt
$ The ipa-cacert-manage command failed.
and when I glanced at request and the cert I can see that their subjects differ in such way that order (what do you call it?) is reversed:
request - Subject: CN=CCN O=University, L=Some, ST=Something, C=GB
cert - C=GB, ST=Something, L=Some, O=University, CN=CCN
If this is the problem indeed then how to resolve such problem? Else, what is the problem?
You have to put in the CSR what you expect to get back. If the issuer is reversing the Subject DN attributes... you will never get back what you want**. So you should work out what is going on in the program that is issuing the certificate; work with your CA admins or the CA software configuration to resolve this.
** unless the Subject DN is a palindrome :D
If you give details about the program used to issue the IPA CA certificate, we may be able to assist more.
Cheers, Fraser
many thanks Fraser,
what about cert's extensions, if those are "lost"? If CA extension is lots? Does that brake stuff badly? (I fear yes)
Yes, if the CA certificate does not have Basic Constraints with CA=true, then it is not a CA certificate. Validation will break. But we do check for this and reject the certificate if it does not have the required extensions.
Cheers, Fraser
On 01/10/2019 02:21, Fraser Tweedale wrote:
On Mon, Sep 30, 2019 at 02:04:15PM +0100, lejeczek via FreeIPA-users wrote:
On 09/09/2019 01:07, Fraser Tweedale wrote:
On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote:
hi guys,
how to manage those?
Why are these missing in "standard" IPA installations and how to get them in?
many thanks, L.
Do you mean in the IPA CA certificate, or in the end-entity certificates?
If the CA certificate, use the --ca-subject option to specify the full subject DN you desire. Note that you can only do this upon installation; there is no way to change the subject of the CA after installation.
For end-entity certificates, upon installation you can use the --subject-base option to specify the desired "subject base DN", to which the Common Name (CN) will be appended. For existing installations you can use the 'ipa certprofile-*' commands to import or modify profile configurations. You will want to tweak the configuration of the 'subjectNameDefaultImpl' component to put include the desired attributes.
Cheers, Fraser
Does the exactness of the 'subject' matter and if so then to whom?
It does matter. It is *critical* when renewing a CA certificate that the subject not change. On first installation it is not so critical, but receiving a certificate with different subject DN from the CSR usually indicates a mistake or a likelihood of problems down the track, when you need to renew it. So we reject it.
I got a request signed by an external authority but renewal fails with:
$ IPA CA certificate with subject 'C=GB,......' was not found in ./file.crt
$ The ipa-cacert-manage command failed.
and when I glanced at request and the cert I can see that their subjects differ in such way that order (what do you call it?) is reversed:
request - Subject: CN=CCN O=University, L=Some, ST=Something, C=GB
cert - C=GB, ST=Something, L=Some, O=University, CN=CCN
If this is the problem indeed then how to resolve such problem? Else, what is the problem?
You have to put in the CSR what you expect to get back. If the issuer is reversing the Subject DN attributes... you will never get back what you want**. So you should work out what is going on in the program that is issuing the certificate; work with your CA admins or the CA software configuration to resolve this.
** unless the Subject DN is a palindrome :D
If you give details about the program used to issue the IPA CA certificate, we may be able to assist more.
Cheers, Fraser
And it's not possible to skip those checks, for cert's 'subject' ?
p.s. Is it possible to get/extract, from the cert itself, info on which program generated a cert?
many thanks, L.
On Thu, Oct 10, 2019 at 12:09:48PM +0100, lejeczek via FreeIPA-users wrote:
On 01/10/2019 02:21, Fraser Tweedale wrote:
On Mon, Sep 30, 2019 at 02:04:15PM +0100, lejeczek via FreeIPA-users wrote:
On 09/09/2019 01:07, Fraser Tweedale wrote:
On Fri, Sep 06, 2019 at 12:01:23PM +0100, lejeczek via FreeIPA-users wrote:
hi guys,
how to manage those?
Why are these missing in "standard" IPA installations and how to get them in?
many thanks, L.
Do you mean in the IPA CA certificate, or in the end-entity certificates?
If the CA certificate, use the --ca-subject option to specify the full subject DN you desire. Note that you can only do this upon installation; there is no way to change the subject of the CA after installation.
For end-entity certificates, upon installation you can use the --subject-base option to specify the desired "subject base DN", to which the Common Name (CN) will be appended. For existing installations you can use the 'ipa certprofile-*' commands to import or modify profile configurations. You will want to tweak the configuration of the 'subjectNameDefaultImpl' component to put include the desired attributes.
Cheers, Fraser
Does the exactness of the 'subject' matter and if so then to whom?
It does matter. It is *critical* when renewing a CA certificate that the subject not change. On first installation it is not so critical, but receiving a certificate with different subject DN from the CSR usually indicates a mistake or a likelihood of problems down the track, when you need to renew it. So we reject it.
I got a request signed by an external authority but renewal fails with:
$ IPA CA certificate with subject 'C=GB,......' was not found in ./file.crt
$ The ipa-cacert-manage command failed.
and when I glanced at request and the cert I can see that their subjects differ in such way that order (what do you call it?) is reversed:
request - Subject: CN=CCN O=University, L=Some, ST=Something, C=GB
cert - C=GB, ST=Something, L=Some, O=University, CN=CCN
If this is the problem indeed then how to resolve such problem? Else, what is the problem?
You have to put in the CSR what you expect to get back. If the issuer is reversing the Subject DN attributes... you will never get back what you want**. So you should work out what is going on in the program that is issuing the certificate; work with your CA admins or the CA software configuration to resolve this.
** unless the Subject DN is a palindrome :D
If you give details about the program used to issue the IPA CA certificate, we may be able to assist more.
Cheers, Fraser
And it's not possible to skip those checks, for cert's 'subject' ?
It would be possible by editing the code. If Subject DN does not match expectations, but we accept the certificate anyway, things may break. (Or maybe not; I am not sure but this is definitely in the Danger Zone).
p.s. Is it possible to get/extract, from the cert itself, info on which program generated a cert?
In general it is not possible. In some cases it is possible to infer by presense of particular extensions (e.g. Microsoft Certificate Template extension suggests it was issued by AD-CS) or other characteristics of the certificate. The Issuer DN and OCSP / CRL information may provide clues.
But somehow, the certificate is being signed. Someone in your organisation must know what program is being used and should be able to assist, or at least tell you what program it is.
Cheers, Fraser
freeipa-users@lists.fedorahosted.org