[Freeipa-users] DNS SubjectAltName missing in provisioned certificates
Martin Štefany
martin at stefany.eu
Sun Mar 27 19:14:47 UTC 2016
Hello,
I seem to be having some issues with IPA CA feature not generating
certificates with DNS SubjectAltNames.
I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now under
CentOS 7.2 / IPA 4.2 something's different.
Here are the original steps which worked fine for my first use case ::
$ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25
$ ipa host-add mail.example.com
$ ipa service-add smtp/mail.example.com
$ ipa service-add smtp/mail1.example.com
$ ipa service-add-host smtp/mail.example.com --hosts=mail1.example.com
$ ipa-getcert request -k /etc/pki/tls/private/postfix.key \
-f /etc/pki/tls/certs/postfix.pem \
-N CN=mail1.example.com,O=EXAMPLE.COM \
-D mail1.example.com -D mail.example.com \
-K smtp/mail1.example.com
(and repeat for every next member of the cluster...)
After this, I would get certificate with something like ::
$ sudo ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20150419153933':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/etc/pki/tls/private/postfix.key'
certificate: type=FILE,location='/etc/pki/tls/certs/postfix.pem'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=mail1.example.com,O=EXAMPLE.COM
expires: 2017-04-19 15:39:35 UTC
dns: mail1.example.com,mail.example.com
principal name: smtp/mail1.example.com at EXAMPLE.COM
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
with Subject line in form of: 'CN=<hostname>,O=EXAMPLE.COM' and 'dns'
info line present.
Suddenly, in the current setup, after upgrade from 4.0 to 4.2, I'm
getting this ::
$ ipa dnsrecord-add example.com w3 --a-ip=172.17.17.80 --a-create-
reverse
$ ipa host-add w3.example.com
$ ipa service-add HTTP/w3.example.com
$ ipa service-add HTTP/http1.example.com
$ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com
$ ipa-getcert request -k /etc/pki/tls/private/httpd.key \
-f /etc/pki/tls/certs/httpd.pem \
-N CN=http1.example.com,O=EXAMPLE.COM \
-D http1.example.com -D w3.example.com \
-K HTTP/http1.example.com
$ sudo ipa-getcert list
Number of certificates and requests being tracked: 3.
Request ID '20160327095125':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/etc/pki/tls/private/http.key'
certificate: type=FILE,location='/etc/pki/tls/certs/http.pem'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=http1.example.com,OU=pki-ipa,O=IPA
expires: 2018-03-28 09:51:27 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Where's the 'CN=<hostname>,OU=pki-ipa,O=IPA' coming from instead of
'CN=<hostname>,O=EXAMPLE.COM' and why are DNS SubjectAltNames missing?
To be clear, if I don't do ::
$ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com
then certificate is just not issued with 'REJECTED', but once this is
done properly in described steps, DNS SANs are not happening.
I've tried ipa-getcert from both CentOS 7.2 and Fedora 23, but only
against my current IPA 4.2 on CentOS 7.2.
For the actual certificates ::
$ sudo openssl x509 -in /etc/pki/tls/certs/postfix.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=EXAMPLE.COM, CN=Certificate Authority
Validity
Not Before: Apr 19 15:39:35 2015 GMT
Not After : Apr 19 15:39:35 2017 GMT
Subject: O=EXAMPLE.COM, CN=mail1.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
[cut]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:[cut]
Authority Information Access:
OCSP - URI:http://ipa-ca.example.com/ca/ocsp
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://ipa-ca.example.com/ipa/crl/MasterCRL.bin
CRL Issuer:
DirName: O = ipaca, CN = Certificate Authority
X509v3 Subject Key Identifier:
[cut]
X509v3 Subject Alternative Name:
DNS:mail1.example.com, DNS:mail.example.com,
othername:<unsupported>, othername:<unsupported>
Signature Algorithm: sha256WithRSAEncryption
[cut]
vs.
$ sudo openssl x509 -in /etc/pki/tls/certs/http.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 71 (0x47)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=EXAMPLE.COM, CN=Certificate Authority
Validity
Not Before: Mar 27 09:51:27 2016 GMT
Not After : Mar 28 09:51:27 2018 GMT
Subject: O=IPA, OU=pki-ipa, CN=http1.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
[cut]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:[cut]
Authority Information Access:
OCSP - URI:http://idmc1.example.com:80/ca/ocsp
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment,
Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
Signature Algorithm: sha256WithRSAEncryption
[cut]
so even reference to CRL is missing here, but OCSP is present.
Sorry if this is duplicate, but from what I was able to find, DNS
SubjectAltNames are reported working since CentOS 7.1, and I think I'm
consistent with http://www.freeipa.org/page/PKI, unless I miss something
obvious here.
For new features like certificate profiles and ACLs, I haven't changed
any defaults as far as I know as there was no need for that.
Thank you for any support in advance! And Happy Easter!
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160327/4b659d58/attachment.sig>
More information about the Freeipa-users
mailing list