[Freeipa-users] ipa-cert-agent, Object Signing Cert certificate renewal
Rob Crittenden
rcritten at redhat.com
Mon Aug 22 14:40:02 UTC 2016
Please keep responses on the list.
realstarhealer wrote:
> Hi Rob,
>
> setting back the date and restarting did not help, in fact it can't,
> because certmonger is not tracking these two by default.
>
> Regarding the ipa-ca-agent Cert:
> I followed CVE-2015-5284 slightly to create a new valid ipa-ca-agent
> certificate.
You re-created the wrong cert. You need the cert with subject 'CN=IPA
RA,O=<REALM>' The RA agent (original serial # usually 7) and the CA
Agent (original serial # usually 6) have different purposes.
Were you affected by the CVE? I'm not sure why you'd try to replace it
in this way.
As for the tracking, you'd do something like this (untested b/c I don't
have a 4.1 install):
# getcert start-tracking -d /etc/httpd/alias -n ipaCert -p
/etc/httpd/alias/pwdfile.txt -c dogtag-ipa-ca-renew-agent -C renew_ra_cert
> Via pki cert-find --name 'ipa-ca-agent' I can now see both, the new and
> the expired.
> Via freeipa webui I can also See both.
> Via ldapsearch -D 'cn=Directory Manager' -W -b 'ou=people,o=ipaca' I see
> uid=admin using the old expired Cert ID.
>
> Is it sufficient to ldapmodify the new valid Cert to uid=admin to solve
> this? As far as I can See, it is the only place this Cert is used.
The instructions on the wiki at
https://www.freeipa.org/page/CVE-2015-5284 seem to confuse the RA agent
with the CA agent. I don't know the details of that CVE but someone
needs to revisit these docs. I'd prefer some clarity around SUBJECT, it
will always be CN=IPA RA,<BASE>
Similarly there is no need to update ca-agent.p12 file if the RA agent
cert is being replaced.
rob
>
> Greetings
> Vitali
>
>
> -------- Ursprüngliche Nachricht --------
> Von: Rob Crittenden <rcritten at redhat.com>
> Datum: 18.08.16 15:28 (GMT+01:00)
> An: realstarhealer <realstarhealer at hotmail.com>, freeipa-users at redhat.com
> Betreff: Re: [Freeipa-users] ipa-cert-agent, Object Signing Cert
> certificate renewal
>
> realstarhealer wrote:
>> Hi,
>>
>> I am in charge for a freeipa 4.1.0.18.el7 server with ldap backend and
>> noticed some expired certificates recently. Most of them but 2 are
>> auto-renewing by certmonger as I checked. All of them are self signed.
>>
>> "CN=ipa-ca-agent" and "CN=Object Signing Cert" are not subscribed by
>> certmonger, ipa-ca-agent expired some days ago and has not been renewed.
>> Second one expires soon. No consequences noticed so far.
>> Can you tell me what they both are for and - if needed - how I should
>> renew that separately? Preferable with certmonger. An Output how the
>> tracking config should look like would be nice.
>
> The object signing cert can probably be ignored. This was used to sign a
> jar file used to automatically configure Firefox but that approach
> doesn't work any more.
>
> The agent cert is used by IPA to communicate to dogtag so yeah, that's
> pretty important.
>
> Since it is expired you'd need to go back in time to renew it.
> Restarting the certmonger process is the simplest method to force it to
> try to renew.
>
> rob
More information about the Freeipa-users
mailing list