[Freeipa-users] External CA

Rob Crittenden rcritten at redhat.com
Wed Nov 6 13:50:23 UTC 2013 

William Leese wrote:
> Hi,
>
> Trying to install freeIPA and have it a sub-ca of an existing one. Sadly
> I'm not getting anywhere.
>
> The version I have installed:
> ipa-server-3.0.0-26.el6_4.4.x86_64
>
> This is what I run:
>
> ipa-server-install -U -a testtest -p testtest
>   --external_cert_file=/root/server.pem
>   --external_ca_file=/root/cacert.pem -p testtest  -P testtest   -r
> MELTWATER.COM <http://MELTWATER.COM>
>
> Which runs this as part of the process:
>
> /usr/bin/pkisilent ConfigureCA -cs_hostname
> vagrant-centos-6.meltwater.com <http://vagrant-centos-6.meltwater.com>
> -cs_port 9445 -client_certdb_dir /tmp/tmp-bOrwSu -client_certdb_pwd
> testtest -preop_pin 4hdia3IvPvf27Qo7kBbO -domain_name IPA -admin_user
> admin -admin_email root at localhost -admin_password testtest -agent_name
> ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa
> -agent_cert_subject CN=ipa-ca-agent,O=MELTWATER.COM
> <http://MELTWATER.COM> -ldap_host vagrant-centos-6.meltwater.com
> <http://vagrant-centos-6.meltwater.com> -ldap_port 7389 -bind_dn
> cn="Directory Manager" -bind_password testtest -base_dn o=ipaca -db_name
> ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA
> -save_p12 true -backup_pwd testtest -subsystem_name pki-cad -token_name
> internal -ca_subsystem_cert_subject_name "CN=CA
> Subsystem,O=MELTWATER.COM <http://MELTWATER.COM>"
> -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=MELTWATER.COM
> <http://MELTWATER.COM>" -ca_ocsp_cert_subject_name "CN=OCSP
> Subsystem,O=MELTWATER.COM <http://MELTWATER.COM>"
> -ca_server_cert_subject_name CN=vagrant-centos-6.meltwater.com
> <http://vagrant-centos-6.meltwater.com>,O=MELTWATER.COM
> <http://MELTWATER.COM> -ca_audit_signing_cert_subject_name "CN=CA
> Audit,O=MELTWATER.COM <http://MELTWATER.COM>" -ca_sign_cert_subject_name
> "CN=Certificate Authority,O=MELTWATER.COM <http://MELTWATER.COM>"
> -external true -ext_ca_cert_file /root/server.pem
> -ext_ca_cert_chain_file /root/cacert.pem
>
> All this results in this in the log:
>    <errorString>Failed to create pkcs12 file.</errorString>
> [snip]
> Error in BackupPanel(): updateStatus value is null
> ERROR: ConfigureCA: BackupPanel() failure
> ERROR: unable to create CA
>
> Interestingly adding the option -save_p12 false to the pkisilent command
> above results in:
>
> importCert string: importing with nickname: ipa-ca-agent
> Already logged into to DB
> ERROR:exception importing cert Security library failed to decode
> certificate package: (-8183) security library: improperly formatted
> DER-encoded message.
> ERROR: AdminCertImportPanel() during cert import
> ERROR: ConfigureCA: AdminCertImportPanel() failure
> ERROR: unable to create CA
>
> While the option change seemed innocent, I honestly don't know if its
> crucial to the install or not. Anyhow, things don't really progress anyway.
>
> I followed the documentation by signing the /root/ipa.csr with a test,
> internal CA but somehow I can't get the install to proceed.
>
> [root at vagrant-centos-6 CA]# cat /root/server.pem
> Certificate:
>      Data:
>          Version: 3 (0x2)
>          Serial Number: 2 (0x2)
>          Signature Algorithm: sha1WithRSAEncryption
>          Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops,
> CN=vagrant.localdomain/emailAddress=t at t.com <mailto:t at t.com>
>          Validity
>              Not Before: Nov  6 05:12:09 2013 GMT
>              Not After : Nov  6 05:12:09 2014 GMT
>          Subject: O=MELTWATER.COM <http://MELTWATER.COM>, CN=Certificate
> Authority
> [snip]
> -----BEGIN CERTIFICATE-----
> MIIDfDCCAmSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJKUDEL
> MAkGA1UECAwCVEsxDDAKBgNVBAcMA1RLSzELMAkGA1UECgwCTVcxDDAKBgNVBAsM
> A29wczEcMBoGA1UEAwwTdmFncmFudC5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3DQEJ
> [snip]
>
> [root at vagrant-centos-6 CA]# cat /root/cacert.pem
> -----BEGIN CERTIFICATE-----
> MIIDxTCCAq2gAwIBAgIJALIzKeNrwx2lMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNV
> BAYTAkpQMQswCQYDVQQIDAJUSzEMMAoGA1UEBwwDVEtLMQswCQYDVQQKDAJNVzEM
> MAoGA1UECwwDb3BzMRwwGgYD
> [snip]
>
> Any help would be welcome.

I'd look in /var/log/pki-ca/debug for additional error information.

rob

More information about the Freeipa-users mailing list