Hi All,
We are trying to install externally signed certificate for WebUI / HTTPS service on our RHEL IdM servers (primary and replica both). As the first step, we are trying to install the CA certificate chain of the issuer of the 3rd party certificate to IPA using "ipa-cacert-manage install”
Step:1 ipa-cacert-manage install idm-app-pilot-file.pem We have put the certificate issued by intermediate CA for the CSR generated at "/var/lib/ipa/ca.csr" from "ipa-cacert-manage renew --external-ca". command excepts the certificate as expected.
Step2: ipa-certupdate We ran this command on both primary & replica and also the clients registered to the
Step3: ipa-cacert-manage renew --external-cert-file=idm-app-pilot-file.pem --external-cert-file=ca_chain_cert.pem In this step, we are running the "ipa-cacert-manage renew" command with renewed CA certificate and the external CA certificate chain. "ca_chain_cert.pem" has intermediate and root cert of the signing CA. Step3 command fails:
[root@ldmserver01 certs]# ipa-cacert-manage renew --external-cert-file=idm-app-pilot-file.pem --external-cert-file=ca_chain_cert.pem Importing the renewed CA certificate, please wait CA certificate CN=ABC Root CA,ST=California,OU=ABC_CA_Authority,O=ABCInc,L=PaloAlto,C=US in idm-app-pilot-file.pem, ca_chain_cert.pem is not valid: not a CA certificate The ipa-cacert-manage command failed.
We have validated our certs using openssl verify -trusted as pasted below: [root@ldmserver01 certs]# openssl verify -trusted ca_chain_cert.pem idm-app-pilot-file.pem idm-app-pilot-file.pem: OK
Could someone please help us with what step we are doing it wrong. What should be the content expected by IdM server for ca_chain_cert.pem in terms of the order of root and intermediate section. We have even tried with ca_cert chain appending to idm-app-pilot-file.pem, but no luck.
Thanks in advance.
Regards, Saurabh Garg
On 7/25/19 9:41 AM, Saurabh Garg via FreeIPA-users wrote:
Hi All,
We are trying to install externally signed certificate for WebUI / HTTPS service on our RHEL IdM servers (primary and replica both). As the first step, we are trying to install the CA certificate chain of the issuer of the 3rd party certificate to IPA using "ipa-cacert-manage install”
Step:1 ipa-cacert-manage install idm-app-pilot-file.pem We have put the certificate issued by intermediate CA for the CSR generated at "/var/lib/ipa/ca.csr" from "ipa-cacert-manage renew --external-ca". command excepts the certificate as expected.
Hi,
ipa-cacert-manage install needs to be provided with all the CA certs in your chain, one at a time, starting from the rootCA. For instance, if your chain is rootCA > intermediateCA > apache cert you need to run ipa-cacert-manage install [...] rootCA ipa-cacert-manage instaa [...] intermediate CA ipa-certupdate
Step2: ipa-certupdate We ran this command on both primary & replica and also the clients registered to the
Step3: ipa-cacert-manage renew --external-cert-file=idm-app-pilot-file.pem --external-cert-file=ca_chain_cert.pem In this step, we are running the "ipa-cacert-manage renew" command with renewed CA certificate and the external CA certificate chain. "ca_chain_cert.pem" has intermediate and root cert of the signing CA. Step3 command fails:
this is not the right command for what you want to achieve. "ipa-cacert-manage renew" would renew IPA CA certificate and replace it with your external cert.
You need to use ipa-server-certinstall instead, ipa-server-certinstall --http will install the key/cert provided for the apache server. Please see ipa-server-certinstall(1) man page for all the options, and [1] for the official documentation
HTH, flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
[root@ldmserver01 certs]# ipa-cacert-manage renew --external-cert-file=idm-app-pilot-file.pem --external-cert-file=ca_chain_cert.pem Importing the renewed CA certificate, please wait CA certificate CN=ABC Root CA,ST=California,OU=ABC_CA_Authority,O=ABCInc,L=PaloAlto,C=US in idm-app-pilot-file.pem, ca_chain_cert.pem is not valid: not a CA certificate The ipa-cacert-manage command failed.
We have validated our certs using openssl verify -trusted as pasted below: [root@ldmserver01 certs]# openssl verify -trusted ca_chain_cert.pem idm-app-pilot-file.pem idm-app-pilot-file.pem: OK
Could someone please help us with what step we are doing it wrong. What should be the content expected by IdM server for ca_chain_cert.pem in terms of the order of root and intermediate section. We have even tried with ca_cert chain appending to idm-app-pilot-file.pem, but no luck.
Thanks in advance.
Regards, Saurabh Garg _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thanks Florence for the response.
As the CSR (that was submitted to an external CA for signing) was generated by IDM server using the command - "ipa-cacert-manage renew --external-ca", private key required for running "ipa-server-certinstall" should be provided by IDM Could you please help me to get hold of the private key used by IDM while generating the CSR
Thanks, Saurabh Garg
On 7/25/19 3:11 PM, Saurabh Garg via FreeIPA-users wrote:
Thanks Florence for the response.
As the CSR (that was submitted to an external CA for signing) was generated by IDM server using the command - "ipa-cacert-manage renew --external-ca", private key required for running "ipa-server-certinstall" should be provided by IDM Could you please help me to get hold of the private key used by IDM while generating the CSR
Hi,
you cannot use ipa-cacert-manage renew --external-ca to produce a CSR for the apache server. This command would craft the CSR with extensions adapted for a CA cert, not for a server cert.
Please see [1] Replacing the Web Server's and LDAP server's certificate, it shows how to create a new CSR.
flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Thanks, Saurabh Garg _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi Florence, Thanks for all the help so far.
In the scenario where we need to change the current ca certificate with the one signed by an external CA: As per your suggestion we are running "ipa-cacert-manage install" command to provide all the CA certs in chain, one at a time, starting from the rootCA as pasted below: [root@ldmserver01 certs]# ipa-cacert-manage install root.pem Installing CA certificate, please wait Not a valid CA certificate: missing subject key identifier extension (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. [root@ldmserver01 certs]#
The command complains about missing subject key identifier extension in the external ca root certificate. Please advice, how can we make it work. We can't expect our CA team to fix this for us as this external CA server and its ca-chain is being used by so many other services already.
Thanks, Saurabh Garg
Saurabh Garg via FreeIPA-users wrote:
Hi Florence, Thanks for all the help so far.
In the scenario where we need to change the current ca certificate with the one signed by an external CA: As per your suggestion we are running "ipa-cacert-manage install" command to provide all the CA certs in chain, one at a time, starting from the rootCA as pasted below: [root@ldmserver01 certs]# ipa-cacert-manage install root.pem Installing CA certificate, please wait Not a valid CA certificate: missing subject key identifier extension (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. [root@ldmserver01 certs]#
The command complains about missing subject key identifier extension in the external ca root certificate. Please advice, how can we make it work. We can't expect our CA team to fix this for us as this external CA server and its ca-chain is being used by so many other services already.
Sorry, it is a mandatory extension. Per the commit message for https://pagure.io/freeipa/issue/6976 :
CA certificates MUST have the Subject Key Identifier extension to facilitate certification path construction. Not having this extension on the IPA CA certificate will cause failures in Dogtag during signing; it tries to copy the CA's Subject Key Identifier to the new certificate's Authority Key Identifier extension, which fails.
rob
Hi Rob, Thanks for the reply.
As Subject Key Identifier extension is mush in CA cert we cant go ahead with changing the current ca certification.
Then we tried changing the cert for apache alone using the below commands with the root and intermediate certs from a different CA, but that also fails. Please see the error below: -------------------------------------------------------------------------------- [root@ldmserver01 sg]# ipa-server-certinstall -w key.pem server.cert.pfx Directory Manager password:
Enter private key unlock password:
Can't load private key from both key.pem and server.cert.pfx The ipa-server-certinstall command failed. [root@ldmserver01 sg]# ipa-server-certinstall -w key.pem server.cert.pfx Directory Manager password:
Enter private key unlock password:
Failed to load server.cert.pfx The ipa-server-certinstall command failed. [root@ldmserver01 sg]# --------------------------------------------------------------------------------
Could you please help us understand what might be wrong here? We also verified the server-cert using below command: openssl pkcs12 -info -in server.cert.pfx Above command result confirms that the cert and ca-chian are correct.
Please advice.
Thanks, Saurabh Garg
Saurabh Garg via FreeIPA-users wrote:
Hi Rob, Thanks for the reply.
As Subject Key Identifier extension is mush in CA cert we cant go ahead with changing the current ca certification.
Then we tried changing the cert for apache alone using the below commands with the root and intermediate certs from a different CA, but that also fails. Please see the error below:
[root@ldmserver01 sg]# ipa-server-certinstall -w key.pem server.cert.pfx Directory Manager password:
Enter private key unlock password:
Can't load private key from both key.pem and server.cert.pfx The ipa-server-certinstall command failed. [root@ldmserver01 sg]# ipa-server-certinstall -w key.pem server.cert.pfx Directory Manager password:
Enter private key unlock password:
Failed to load server.cert.pfx The ipa-server-certinstall command failed. [root@ldmserver01 sg]#
Could you please help us understand what might be wrong here? We also verified the server-cert using below command: openssl pkcs12 -info -in server.cert.pfx Above command result confirms that the cert and ca-chian are correct.
Sure looks like server.cert.pfx already contains the private key so drop key.pem from the command.
rob
freeipa-users@lists.fedorahosted.org