[Freeipa-users] ipa-server-install ERROR: IPA CA certificate not found in ...
Zarko Dudic
zarko.dudic at oracle.com
Tue Aug 16 18:00:19 UTC 2016
Thanks Rob. This command creates the CSR.
# ipa-server-install --subject
'OU=CorpArch,O=Corporation,L=Town,ST=California,C=US' --external-ca
And verification with command :
# openssl req -in /root/ipa.csr -noout -text
... shows "Subject: C=US, ST=California, L=Town, O=Corporation,
OU=CorpArch, CN=Certificate Authority"
Since the CN is unconfigurable, how it's expected to be signed by 3rd
party external CA, they usually want to see FQDN.
Can you please provide more details (or ref URL) about "right CA
extensions". Thanks in advance.
On 8/16/2016 9:04 AM, Rob Crittenden wrote:
> Zarko Dudic wrote:
>>
>> Hi all,
>>
>> I have the problem to install FreeIPA 4.2.0-15.0.1.el7_2.17.x86_64 with
>> External CA as the Root CA. Here are details.
>>
>> 1) Run "ipa-server-install --external-ca", and send .csr to be signed by
>> External CA, but VeriSign rejects signing this since info like
>> Organization, OU, L, ST, C are missing.
>
> I seriously doubt Verisign will issue this certificate regardless of
> format. Don't confuse a CA signing certificate with a server certificate.
>
> But who knows. Try the --subject-base option to ipa-server-install but
> note that the CN is currently unconfigurable, it will always be
> cn=Certificate Authority.
>
>> 2) Okay, so I try this workaround, create cert request manually with
>> command:
>>
>> # certutil -R -d /tmp -a -g 2048 -s
>> 'CN=<fqdn>,OU=<some-ou>,O=<company>,L=<town>,ST=California,C=US'
>
> This will never work. Besides the fact that you didn't request a
> certificate with the right CA extensions, the private key that
> generated the CSR is now in a place that dogtag will never find it.
> This is unrelated to the error below but it would blow up eventually.
>
>> 3) I verify request via
>> https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp
>> (looks good)
>>
>> 4) Now VeriSign accepts .csr and I receive the certificate (.cer file)
>> via email.
>>
>> 5) I also download two additional certs for trust chain, one is
>> VeriSign's public primary root CA and the second one is Company's
>> itermediate CA, both (.pem files)
>>
>> 6) Now the problem begins, run the comamnd:
>>
>> # ipa-server-install --external-cert-file=/tmp/freeipa.cer
>> --external-cert-file=/tmp/Company_CA_G2.pem
>> --external-cert-file=/tmp/VeriSign_Root_CA.pem -vv
>
> If memory serves IPA knows what the subject of it's CA should look
> like (remember subject-base?) and it isn't finding it and blowing up.
>
> rob
>
--
Thanks,
Zarko
More information about the Freeipa-users
mailing list