[Freeipa-devel] [freeipa] #3668: CA-less install fails when intermediate CA is used

Fri Jun 7 13:08:48 UTC 2013

On 7.6.2013 14:54, Dmitri Pal wrote:
> On 06/07/2013 08:26 AM, Martin Kosek wrote:
>> On 06/07/2013 02:04 PM, Dmitri Pal wrote:
>>> On 06/07/2013 03:47 AM, freeipa wrote:
>>>> #3668: CA-less install fails when intermediate CA is used
>>>> -------------------------------------+-------------------------------------
>>>>                 Reporter:  jcholast   |             Owner:  jcholast
>>>>                     Type:  defect     |            Status:  assigned
>>>>                 Priority:  major      |         Milestone:  2013 Month 06 -
>>>>                Component:             |  June (3.2.x bug fixing)
>>>>    Installation                       |           Version:
>>>>               Resolution:             |          Keywords:
>>>>               Blocked By:             |          Blocking:
>>>>            Tests Updated:  0          |       Affects DOC:  0
>>>> Patch posted for review:  0          |  Red Hat Bugzilla:
>>>>                   Source:             |       Effort Type:
>>>>         Targeted feature:             |       Design link:
>>>>            Design review:  0          |  Fedora test page:
>>>>                   Chosen:             |   Needs UI design:
>>>> -------------------------------------+-------------------------------------
>>>> Release Notes:
>>>>
>>>>
>>>> -------------------------------------+-------------------------------------
>>>> Changes (by mkosek):
>>>>
>>>>   * rhbz:  0 =>
>>>>
>>>>
>>>> Comment:
>>>>
>>>>   We not support intermediate CAs for external CA install or CA-less
>>>>   install. Thus, this ticket cannot be easily solved extensive changes to
>>>>   the installer. Related to #3274 (Pilsner milestone).
>>>>
>>>>   Moving back to triage to decide what to do about this ticket.
>>>>
>>> So you are saying that CA we chain to or get the certs from should
>>> always be a root CA?
>>> Why does it matter for our code whether the CA we deal with a Root CA or
>>> not?
>> No, this is a case when a CA you pass for FreeIPA is not a direct "parent" of
>> HTTP/DIRSRV certificates, i.e. there is an intermediate CA between the CA
>> passed to IPA and the actual certs.
>
> My question is what prevents you to give IPA the certs from the direct
> parent. What is the use case or real world scenario where the parent
> certs are not available?
> Just trying to wrap my head.
>
> I have CA 1 and CA 2. CA 2 is a sub CA of 1.
> I have certs from CA 1
> If I pass them to IPA but point to CA2 it would not work. OK
> The example can be that CA1 is a public CA and CA2 is my CA. But what
> prevents me from giving IPA the certs from CA2? Why would I try to give
> IPA certs from CA1?
>
> Do I understand the scenario correctly?
>

Nothing is preventing you to give IPA certs from CA2, this works fine.

The problem is that if you pass IPA certificates issued by CA2 and point 
it to CA1 at the same time, it does not work (despite having the 
complete trust chain).

Honza

-- 
Jan Cholasta