[Freeipa-users] External CA
William Leese
william.leese at meltwater.com
Wed Nov 6 05:32:42 UTC 2013
Hi,
Trying to install freeIPA and have it a sub-ca of an existing one. Sadly
I'm not getting anywhere.
The version I have installed:
ipa-server-3.0.0-26.el6_4.4.x86_64
This is what I run:
ipa-server-install -U -a testtest -p testtest
--external_cert_file=/root/server.pem --external_ca_file=/root/cacert.pem
-p testtest -P testtest -r MELTWATER.COM
Which runs this as part of the process:
/usr/bin/pkisilent ConfigureCA -cs_hostname
vagrant-centos-6.meltwater.com-cs_port 9445 -client_certdb_dir
/tmp/tmp-bOrwSu -client_certdb_pwd
testtest -preop_pin 4hdia3IvPvf27Qo7kBbO -domain_name IPA -admin_user admin
-admin_email root at localhost -admin_password testtest -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=MELTWATER.COM -ldap_host
vagrant-centos-6.meltwater.com-ldap_port 7389 -bind_dn cn="Directory
Manager" -bind_password testtest
-base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm
SHA256withRSA -save_p12 true -backup_pwd testtest -subsystem_name pki-cad
-token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=
MELTWATER.COM" -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=
MELTWATER.COM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=MELTWATER.COM"
-ca_server_cert_subject_name CN=vagrant-centos-6.meltwater.com,O=
MELTWATER.COM -ca_audit_signing_cert_subject_name "CN=CA Audit,O=
MELTWATER.COM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=
MELTWATER.COM" -external true -ext_ca_cert_file /root/server.pem
-ext_ca_cert_chain_file /root/cacert.pem
All this results in this in the log:
<errorString>Failed to create pkcs12 file.</errorString>
[snip]
Error in BackupPanel(): updateStatus value is null
ERROR: ConfigureCA: BackupPanel() failure
ERROR: unable to create CA
Interestingly adding the option -save_p12 false to the pkisilent command
above results in:
importCert string: importing with nickname: ipa-ca-agent
Already logged into to DB
ERROR:exception importing cert Security library failed to decode
certificate package: (-8183) security library: improperly formatted
DER-encoded message.
ERROR: AdminCertImportPanel() during cert import
ERROR: ConfigureCA: AdminCertImportPanel() failure
ERROR: unable to create CA
While the option change seemed innocent, I honestly don't know if its
crucial to the install or not. Anyhow, things don't really progress anyway.
I followed the documentation by signing the /root/ipa.csr with a test,
internal CA but somehow I can't get the install to proceed.
[root at vagrant-centos-6 CA]# cat /root/server.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops,
CN=vagrant.localdomain/emailAddress=t at t.com
Validity
Not Before: Nov 6 05:12:09 2013 GMT
Not After : Nov 6 05:12:09 2014 GMT
Subject: O=MELTWATER.COM, CN=Certificate Authority
[snip]
-----BEGIN CERTIFICATE-----
MIIDfDCCAmSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJKUDEL
MAkGA1UECAwCVEsxDDAKBgNVBAcMA1RLSzELMAkGA1UECgwCTVcxDDAKBgNVBAsM
A29wczEcMBoGA1UEAwwTdmFncmFudC5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3DQEJ
[snip]
[root at vagrant-centos-6 CA]# cat /root/cacert.pem
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIJALIzKeNrwx2lMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNV
BAYTAkpQMQswCQYDVQQIDAJUSzEMMAoGA1UEBwwDVEtLMQswCQYDVQQKDAJNVzEM
MAoGA1UECwwDb3BzMRwwGgYD
[snip]
Any help would be welcome.
--
William Leese
Production Engineer,
Operations, Asia Pacific
Meltwater Group
m: +81 80 4946 0329
skype: william.leese1
w: meltwater.com
This email and any attachment(s) is intended for and confidential to the
addressee. If you are neither the addressee nor an authorized recipient for
the addressee, please notify us of receipt, delete this message from your
system and do not use, copy or disseminate the information in, or attached
to it, in any way. Our messages are checked for viruses but please note
that we do not accept liability for any viruses which may be transmitted in
or with this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131106/ea63d167/attachment.htm>
More information about the Freeipa-users
mailing list