[Freeipa-users] Installation issues with sub-ca.

Rob Crittenden rcritten at redhat.com
Thu Nov 14 13:56:52 UTC 2013 

Andrea Bontempi wrote:
>> This is incorrect. To validate a certificate you only need the CA public
>> keys, not the private ones. Only having the ipa-ca-agent key is right.
>> This is a temporary database, not the CA database. We are using this
>> cert to request some information about itself from the CA in this case.
>
> You're right, I thought that the script use a temporary db to create the final database, but it's only to connect with sslget.
>
>> I think there is an issue with one of the CA certs but I've yet to
>> duplicate it or identify what is wrong. I'm still waiting on word back
>> from one of the NSS devs.
>
>
> I did some tests: The error occurs when I use a CA managed by EJBCA, if I use a CA generated by openssl or nss everything works properly.
>
> The problem is that i can't reproduce the bug in an external nss db... but maybe I don't follow the same steps that uses the installation script.

The problem has to do with the encoding of the subject and issuer fields.

The issue is one is encoded as a UTF8 string and the other is
encoded as a printable string. This makes the binary derSubject and
derIssuer fields different. NSS does not like derSubject and derIssuer
fields that are different

Server's raw der issuer:                        v
   30 35 31 13 30 11 06 03 02 05 04 10 55 04 0a 13 <    Note the 
0x13->0x0c change here
   0a 44 42 4d 53 52 4c 2e 43 4f 4d 31 1e 30 1c 06
   03 02 05 04 03 55 04 03 13 15 43 65 72 74 69 66
   69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79

Issuer's raw der subject:                       V
   30 35 31 13 30 11 06 03 02 05 04 10 55 04 0a 0c <
   0a 44 42 4d 53 52 4c 2e 43 4f 4d 31 1e 30 1c 06
   03 02 05 04 03 55 04 03 0c 15 43 65 72 74 69 66
   69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79

The NSS dev suggested issuing a new intermediate certificate using a 
Printable String for the the subject and everything else is the same. 
The problem is that this intermediate cert is issued by dogtag and I'm 
not sure if we have that level of control.

You can't restart a failed install, and if you try it again you'll end 
up with the same problem.

I've cc'd a dogtag developer to see if this can be handled via the 
profiles that dogtag uses to generate certificates.

rob

More information about the Freeipa-users mailing list