[Freeipa-devel] Needs testing: Replace IPA CA

Rob Crittenden rcritten at redhat.com
Mon Jul 27 20:59:37 UTC 2009 

We were improperly creating the IPA self-signed CA during installation. 
It lacked a certificate extension marking it as a CA. This causes the 
certificates that IPA generates to not work with Firefox 3.5.

I'm working on a fix for this. If someone wants to give it a test that 
would be helpful.

There are several steps you need to take on the initial master. If you 
have replica's I'll get back to that:

- Apply the patch to certs.py to 
(/usr/lib/python*/site-packages/ipaserver/certs.py)
- Back up /etc/dirsrv/slapd-INSTANCE/*.db and *.txt
- Back up /etc/httpd/alias/*.db
- Run ipa-ca with the following options

As root:

# service dirsrv stop
# service httpd stop
# rm -f /etc/dirsrv/slapd-<INSTANCE>/cert8.db
# python ipa-ca -g
# python ipa-ca -i -s yourhost.example.com -o ds.p12 -p password
# python ipa-ca -i -s yourhost.example.com -o http.p12 -p password
# pk12util -i ds.p12 -d /etc/dirsrv/slapd-<INSTANCE> -k 
/etc/dirsrv/slapd-<INSTANCE>/pwdfile.txt
# rm -f /etc/httpd/alias/*.db
# certutil -N -d /etc/httpd/alias (press enter twice, no password)
# chown apache /etc/httpd/alias/*.db
# pk12util -i http.p12  -d /etc/httpd/alias
# certutil -M -t "CT,,C" -n "CA certificate" -d /etc/httpd/alias
# service dirsrv start
# service httpd start

Your new CA is in /etc/dirsrv/slapd-INSTANCE/cacert.p12. You'll want to 
back this up somewhere (and probably remove the .p12 file).

This should generate a new CA, issue 2 certificates and put them into 
PKCS#12 files, then import them into your instances.

If you have any replicas then do the same steps without the "ipa-ca -g" 
step. ipa-ca should always be run on the initial IPA master.

The basic idea is that 'ipa-ca -g' generates a new CA using the certs.py 
patch that you applied. Then you create a PKCS#12 file for each of the 
two services on each IPA instace. The process of generating a new CA 
creates a new DS database so you just have to import the cert you generated.

For Apache we have to remove the database and re-create it, fixing 
permissions along the way. Then the cert is imported and the CA trusted.

This works for me with IPA v1.2. I wouldn't recommend doing this on a 
production server yet.

rob
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: certs.diff
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090727/516b85b1/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipa-ca
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090727/516b85b1/attachment-0001.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090727/516b85b1/attachment.bin>

More information about the Freeipa-devel mailing list