[Freeipa-users] Globalsign External CA Certificate Import Failure

Fri Jan 3 21:26:21 UTC 2014

On 01/03/2014 04:13 PM, James Scollard wrote:
> Thanks for the reply,
>
> Version:
>
> Package freeipa-server-3.3.3-2.fc19.x86_64 already installed and
> latest version...
>
> I'm not sure I understand the answer.
>
> I created the CSR and they signed it using their automation, and
> returned the new ones to me for installation, which failed.
> SUN.WEATHER.COM is a valid Kerberos domain name, but not a valid O=. 
> The node itself is xxxxx.sun.weather.com, we have a wildcard
> certificate for sun.weather.com, and this domain controller needs the
> certificate for the domain for setup to complete.

I think what Rob was trying to say is that a wild card certificate does
not make sense for IPA as a server. AFAIU you are trying to chain to an
external CA to become a sub CA. I would leave to the European team to
reply on Monday morning in more details.

In 3.3 a new feature was added to allow installing IPA using a cert
provided by external CA may be this is what you are looking for instead
of a sub CA? But again I would leave it till Monday for the European
team to provide more tech details on what is going wrong here.

Thanks
Dmitri

>
> What am I doing wrong here?
>
> On 1/3/14 3:58 PM, Rob Crittenden wrote:
>> James Scollard wrote:
>>> When attempting to run the second part of the installation with an
>>> external CA (Globalsign) using my signed certificate and CA certificate
>>> chain I get the following;
>>>
>>> [root at ldapm6x00 ~]# ipa-server-install
>>> --external_cert_file=/root/ldapm6x00.sun.weather.com.crt
>>> --external_ca_file=/root/sun.weather.com.crt
>>>
>>> The log file for this installation can be found in
>>> /var/log/ipaserver-install.log
>>> Directory Manager password:
>>>
>>> Subject of the external certificate is not correct (got
>>> CN=*.sun.weather.com,O=The Weather Channel Interactive\,
>>> Inc,L=Atlanta,ST=Georgia,C=US, expected CN=Certificate
>>> Authority,O=SUN.WEATHER.COM).
>>>
>>> CN= and O= are correct, so why is IPA refusing to use the certificate?
>>> It appears to be expecting bogus data instead of using the provided
>>> identity.  This doesnt appear to be an issue with the certificate,
>>> although I have never installed FreeIPA with a Globalsign
>>> certificate. I
>>> did nto see this problem with Network Solutions wildcard certificates
>>> though.  Any suggestions would be appreciated.
>>
>> This isn't related to the external CA, it just can't modify the
>> subject of the IPA CA, which it did in this case. I'm not even
>> entirely sure what it would mean to have the CA certificate itself be
>> a wildcard cert. Doesn't seem to be a valid use-case though.
>>
>> Looks like this validation was added in in v3.
>>
>> rob
>>
>

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/