[Freeipa-devel] Questions re. 3rd party certificates

Jan Cholasta jcholast at redhat.com
Tue Jun 21 10:33:15 UTC 2016 

Hi,

On 21.6.2016 11:03, Florence Blanc-Renaud wrote:
> Hi,
>
> I am working on the following issues and I have questions re. 3rd party
> certificates:
> - https://fedorahosted.org/freeipa/ticket/4785 ipa-server-certinstall
> tracks the 3rd party cert it installs with certmonger
> - https://fedorahosted.org/freeipa/ticket/4786 ipa-server-certinstall
> does not accept certs signed by 3rd party CAs
>
> First I would like to validate that my scenario is the correct one:
> FreeIPA installed with an embedded CA. The customer now wants to use a
> different certificate for httpd and dirsrv, signed by a 3rd party CA.
> The steps to achieve this are:
> 1. run "ipa-cacert-manage install -t C,, <CAcert file>" to install the
> 3rd party CA certificate. This step puts the CA certificate in the LDAP
> entry cn=certificates,cn=ipa,cn=etc,dc=...

Right.

>
> 2. run "ipa-certupdate" to retrieve the CA cert from LDAP and put it
> into /etc/ipa/nssdb /etc/dirsrv/sldapd-xxx and /etc/httpd/alias
> Note that this command does not put the CA cert into
> /etc/pki/pki-tomcat/alias, is this expected? I had to perform this
> manually (otherwise tomcat won't restart later).

ipa-certupdate is supposed to update /etc/pki/pki-tomcat/alias.

Here is the relevant code: 
<https://git.fedorahosted.org/cgit/freeipa.git/tree/install/restart_scripts/renew_ca_cert#n156>

>
> 3. run "ipa-server-certinstall -d -w key.pem cert.pem"
> This commands should stop tracking the previous cert, install the new
> one in /etc/dirsrv/slapd-xx (if -d is used) and /etc/httpd/alias (if -w
> is used), and track the new one only if signed by IPA CA. It also
> updates the attribute nssslpersonalityssl of the entry
> cn=rsa,cn=encryption,cn=config to contain the new cert nickname (for the
> dirsrv) and sets NSSNickname in /etc/httpd/conf.d/nss.conf (for httpd).

Right.

>
> After those steps, I noticed that
> - the entries
> krbprincipalname=HTTP/hostname at dom,cn=services,cn=accounts,dc=domain...
> and
> krbprincipalname=ldap/hostname at dom,cn=services,cn=accounts,dc=domain...
> are not updated: their attribute userCertificate still contains the old
> certificate.
> Did I miss a manual step? Is it an issue?

AFAIK ipa-server-certinstall never updated these entries. It's probably 
not an issue, but it would be nice to update them, for consistency.

>
> - the new certificate nickname is not "Server-Cert" any more but rather
> the full subject (even if --cert-name was supplied to
> ipa-server-certinstall).
> Can this cause issues?

Actually, full subject name is used only if the originating PKCS#12 
files does not have nickname for the server certificate.

The --cert-name is used to select a single server certificate from the 
PKCS#12 file in case there are multiple, it is not supposed to change 
the nickname.

It could cause an issue if someone assumed that the nickname is always 
"Server-Cert", but I don't think that there currently is code that does.

>
> Thanks for any input,
> Flo.
>

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list