[Freeipa-users] Globalsign External CA Certificate Import Failure
Jan Cholasta
jcholast at redhat.com
Mon Jan 6 09:09:38 UTC 2014
Hi,
On 3.1.2014 22:13, James Scollard wrote:
> Thanks for the reply,
>
> Version:
>
> Package freeipa-server-3.3.3-2.fc19.x86_64 already installed and latest
> version...
>
> I'm not sure I understand the answer.
>
> I created the CSR and they signed it using their automation, and
> returned the new ones to me for installation, which failed.
> SUN.WEATHER.COM is a valid Kerberos domain name, but not a valid O=. The
> node itself is xxxxx.sun.weather.com, we have a wildcard certificate for
> sun.weather.com, and this domain controller needs the certificate for
> the domain for setup to complete.
>
> What am I doing wrong here?
I sense some confusion about ipa-server-install options here. You use a
wildcard server certificate as IPA's CA certificate, which is obviously
not correct. It seems to me you are trying to do one of the following:
a) Set up IPA using your own server certificate. This is achieved
using the --*_pkcs12 options.
You must create a PKCS#12 file with the certificate and its private
key in order to do this. Assuming you save the PKCS#12 file to
/root/ldapm6x00.sun.weather.com.p12, the command line should look
something like:
# ipa-server-install
--dirsrv_pkcs12=/root/ldapm6x00.sun.weather.com.p12
--http_pkcs12=/root/ldapm6x00.sun.weather.com.p12
--root-ca-file=/root/sun.weather.com.crt
b) Set up IPA including a IPA-managed CA, with the CA being a
subordinate of some external CA. This is where you should use the
--external* options.
First run ipa-server-install with --external-ca, which will create
a CSR for IPA CA certificate in /root/ipa.csr. Then sign the CSR with
the external CA to get the IPA CA certificate. Finally, run
ipa-server-install with --external_cert_file pointing to the IPA CA
certificate and --external_ca_file pointing to CA certificate of the
external CA.
>
> On 1/3/14 3:58 PM, Rob Crittenden wrote:
>> James Scollard wrote:
>>> When attempting to run the second part of the installation with an
>>> external CA (Globalsign) using my signed certificate and CA certificate
>>> chain I get the following;
>>>
>>> [root at ldapm6x00 ~]# ipa-server-install
>>> --external_cert_file=/root/ldapm6x00.sun.weather.com.crt
>>> --external_ca_file=/root/sun.weather.com.crt
>>>
>>> The log file for this installation can be found in
>>> /var/log/ipaserver-install.log
>>> Directory Manager password:
>>>
>>> Subject of the external certificate is not correct (got
>>> CN=*.sun.weather.com,O=The Weather Channel Interactive\,
>>> Inc,L=Atlanta,ST=Georgia,C=US, expected CN=Certificate
>>> Authority,O=SUN.WEATHER.COM).
>>>
>>> CN= and O= are correct, so why is IPA refusing to use the certificate?
>>> It appears to be expecting bogus data instead of using the provided
>>> identity. This doesnt appear to be an issue with the certificate,
>>> although I have never installed FreeIPA with a Globalsign certificate. I
>>> did nto see this problem with Network Solutions wildcard certificates
>>> though. Any suggestions would be appreciated.
>>
>> This isn't related to the external CA, it just can't modify the
>> subject of the IPA CA, which it did in this case. I'm not even
>> entirely sure what it would mean to have the CA certificate itself be
>> a wildcard cert. Doesn't seem to be a valid use-case though.
>>
>> Looks like this validation was added in in v3.
>>
>> rob
>>
>
Honza
--
Jan Cholasta
More information about the Freeipa-users
mailing list