[Freeipa-users] IPA with external CA signed certs

James Masson james.masson at jmips.co.uk
Thu Nov 12 13:01:28 UTC 2015 


On 30/10/15 13:52, Rob Crittenden wrote:
> James Masson wrote:
>>
>>
>> On 26/10/15 16:11, Martin Kosek wrote:
>>> On 10/26/2015 04:05 PM, James Masson wrote:
>>>>
>>>>
>>>> On 19/10/15 21:06, Rob Crittenden wrote:
>>>>> James Masson wrote:
>>>>>>
>>>>>> Hi list,
>>>>>>
>>>>>> I successfully have IPA working with CA certs signed by an upstream
>>>>>> Dogtag.
>>>>>>
>>>>>> Now I'm trying to use a CA cert signed by a different type of CA -
>>>>>> Vault.
>>>>>>
>>>>>> Setup fails, using the same 2 step IPA setup process as used with
>>>>>> upstream Dogtag. I've also tried the external-ca-type option.
>>>>>>
>>>>>> Likely, IPA doesn't like the certificate - however, I can't
>>>>>> pinpoint why.
>>>>>
>>>>> I'm guessing you don't include the entire CA certchain of Vault. Dogtag
>>>>> is failing to startup because it can't verify its own cert chain:
>>>>>
>>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>>> CAPresence:  CA is present
>>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>>> SystemCertsVerification: system certs verification failure
>>>>> 0.localhost-startStop-1 - [15/Oct/2015:14:39:27 UTC] [20] [1]
>>>>> SelfTestSubsystem: The CRITICAL self test plugin called
>>>>> selftests.container.instance.SystemCertsVerification running at startup
>>>>> FAILED!
>>>>>
>>>>> rob
>>>>>
>>>>
>>>>
>>>> Hi Rob,
>>>>
>>>> Thanks for the reply.
>>>>
>>>> I do present the IPA installer with both the CA and the IPA cert -
>>>> the IPAs
>>>> python-based install code is happy with the cert chain, but the Java
>>>> based
>>>> dogtag code chokes on it.
>>>>
>>>> OpenSSL is happy with it too.
>>>>
>>>> #####
>>>> [root at foo ~]# openssl verify ipa.crt
>>>> ipa.crt: O = LOCAL, CN = Certificate Authority
>>>> error 20 at 0 depth lookup:unable to get local issuer certificate
>>>>
>>>> [root at foo ~]# openssl verify -CAfile vaultca.crt ipa.crt
>>>> ipa.crt: OK
>>>> ###
>>>>
>>>> Any hints on how to reproduce this with more debug output? I'd like
>>>> to know
>>>> exactly what Dogtag doesn't like about the certificate.
>>>>
>>>> thanks
>>>>
>>>> James M
>>>
>>> Let me CC at least Jan Ch. and David, they may be able to help and
>>> should also
>>> make sure FreeIPA gets better in validating the certs, as appropriate.
>>>
>>
>> Any thoughts guys?
>
> I cc'd one of the dogtag guys to see if he knows.
>
> You might also try using certutil to validate the certificates, it might
> give you some hints to what is going on.
>
> I'm assuming your certdb (it can vary by version) is in
> /var/lib/pki/pki-tomcat/alias
>
> certutil -L -d /var/lib/pki/pki-tomcat/alias will give you the list of
> certificates installed. You can verify each one to see what is going on.
> The -u flag specfies usage. See the certutil man page for a full set of
> options.
>
> For example:
>
> # certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 'auditSigningCert
> cert-pki-ca'
> certutil: certificate is valid
>
> rob
>

Hi All,

I've created a ticket to track this

https://fedorahosted.org/pki/ticket/1697

Rob - certutil output:

Some certificates types seem not to be approved. Not sure if this is a 
red herring.

##############
[root at foo ~]# certutil -L -d /var/lib/pki/pki-tomcat/alias

Certificate Nickname                                         Trust 
Attributes
 
SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
root.com                                                     CT,c,
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
[root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'caSigningCert cert-pki-ca'
certutil: certificate is valid
[root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'root.com'
certutil: certificate is invalid: Certificate type not approved for 
application.
[root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'ocspSigningCert cert-pki-ca'
certutil: certificate is invalid: Certificate type not approved for 
application.
[root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'subsystemCert cert-pki-ca'
certutil: certificate is valid
[root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'Server-Cert cert-pki-ca'
certutil: certificate is invalid: Certificate type not approved for 
application.
[root at foo ~]# certutil -V -u C -d /var/lib/pki/pki-tomcat/alias -n 
'auditSigningCert cert-pki-ca'
certutil: certificate is valid
#############

regards

James M

More information about the Freeipa-users mailing list