[Freeipa-users] DNS SubjectAltName missing in provisioned certificates
Fraser Tweedale
ftweedal at redhat.com
Thu Mar 31 07:41:57 UTC 2016
On Sun, Mar 27, 2016 at 09:14:47PM +0200, Martin Štefany wrote:
> Hello,
>
> I seem to be having some issues with IPA CA feature not generating
> certificates with DNS SubjectAltNames.
>
> I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now under
> CentOS 7.2 / IPA 4.2 something's different.
>
> Here are the original steps which worked fine for my first use case ::
>
> $ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25
> $ ipa host-add mail.example.com
> $ ipa service-add smtp/mail.example.com
> $ ipa service-add smtp/mail1.example.com
> $ ipa service-add-host smtp/mail.example.com --hosts=mail1.example.com
> $ ipa-getcert request -k /etc/pki/tls/private/postfix.key \
> -f /etc/pki/tls/certs/postfix.pem \
> -N CN=mail1.example.com,O=EXAMPLE.COM \
> -D mail1.example.com -D mail.example.com \
> -K smtp/mail1.example.com
> (and repeat for every next member of the cluster...)
>
> After this, I would get certificate with something like ::
> $ sudo ipa-getcert list
> Number of certificates and requests being tracked: 3.
> Request ID '20150419153933':
> status: MONITORING
> stuck: no
> key pair storage:
> type=FILE,location='/etc/pki/tls/private/postfix.key'
> certificate: type=FILE,location='/etc/pki/tls/certs/postfix.pem'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=mail1.example.com,O=EXAMPLE.COM
> expires: 2017-04-19 15:39:35 UTC
> dns: mail1.example.com,mail.example.com
> principal name: smtp/mail1.example.com at EXAMPLE.COM
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> with Subject line in form of: 'CN=<hostname>,O=EXAMPLE.COM' and 'dns'
> info line present.
>
> Suddenly, in the current setup, after upgrade from 4.0 to 4.2, I'm
> getting this ::
>
> $ ipa dnsrecord-add example.com w3 --a-ip=172.17.17.80 --a-create-
> reverse
> $ ipa host-add w3.example.com
> $ ipa service-add HTTP/w3.example.com
> $ ipa service-add HTTP/http1.example.com
> $ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com
> $ ipa-getcert request -k /etc/pki/tls/private/httpd.key \
> -f /etc/pki/tls/certs/httpd.pem \
> -N CN=http1.example.com,O=EXAMPLE.COM \
> -D http1.example.com -D w3.example.com \
> -K HTTP/http1.example.com
> $ sudo ipa-getcert list
> Number of certificates and requests being tracked: 3.
> Request ID '20160327095125':
> status: MONITORING
> stuck: no
> key pair storage:
> type=FILE,location='/etc/pki/tls/private/http.key'
> certificate: type=FILE,location='/etc/pki/tls/certs/http.pem'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=http1.example.com,OU=pki-ipa,O=IPA
> expires: 2018-03-28 09:51:27 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> Where's the 'CN=<hostname>,OU=pki-ipa,O=IPA' coming from instead of
> 'CN=<hostname>,O=EXAMPLE.COM' and why are DNS SubjectAltNames missing?
>
> To be clear, if I don't do ::
> $ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com
>
> then certificate is just not issued with 'REJECTED', but once this is
> done properly in described steps, DNS SANs are not happening.
>
> I've tried ipa-getcert from both CentOS 7.2 and Fedora 23, but only
> against my current IPA 4.2 on CentOS 7.2.
>
> For the actual certificates ::
> $ sudo openssl x509 -in /etc/pki/tls/certs/postfix.pem -noout -text
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 15 (0xf)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: O=EXAMPLE.COM, CN=Certificate Authority
> Validity
> Not Before: Apr 19 15:39:35 2015 GMT
> Not After : Apr 19 15:39:35 2017 GMT
> Subject: O=EXAMPLE.COM, CN=mail1.example.com
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> [cut]
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Authority Key Identifier:
> keyid:[cut]
>
> Authority Information Access:
> OCSP - URI:http://ipa-ca.example.com/ca/ocsp
>
> X509v3 Key Usage: critical
> Digital Signature, Non Repudiation, Key Encipherment,
> Data Encipherment
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client
> Authentication
> X509v3 CRL Distribution Points:
>
> Full Name:
> URI:http://ipa-ca.example.com/ipa/crl/MasterCRL.bin
> CRL Issuer:
> DirName: O = ipaca, CN = Certificate Authority
>
> X509v3 Subject Key Identifier:
> [cut]
> X509v3 Subject Alternative Name:
> DNS:mail1.example.com, DNS:mail.example.com,
> othername:<unsupported>, othername:<unsupported>
> Signature Algorithm: sha256WithRSAEncryption
> [cut]
>
> vs.
>
> $ sudo openssl x509 -in /etc/pki/tls/certs/http.pem -text -noout
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 71 (0x47)
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: O=EXAMPLE.COM, CN=Certificate Authority
> Validity
> Not Before: Mar 27 09:51:27 2016 GMT
> Not After : Mar 28 09:51:27 2018 GMT
> Subject: O=IPA, OU=pki-ipa, CN=http1.example.com
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> [cut]
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Authority Key Identifier:
> keyid:[cut]
>
> Authority Information Access:
> OCSP - URI:http://idmc1.example.com:80/ca/ocsp
>
> X509v3 Key Usage: critical
> Digital Signature, Non Repudiation, Key Encipherment,
> Data Encipherment
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client
> Authentication
> Signature Algorithm: sha256WithRSAEncryption
> [cut]
>
> so even reference to CRL is missing here, but OCSP is present.
>
>
> Sorry if this is duplicate, but from what I was able to find, DNS
> SubjectAltNames are reported working since CentOS 7.1, and I think I'm
> consistent with http://www.freeipa.org/page/PKI, unless I miss something
> obvious here.
>
> For new features like certificate profiles and ACLs, I haven't changed
> any defaults as far as I know as there was no need for that.
>
>
> Thank you for any support in advance! And Happy Easter!
>
> Martin
Hi Martin,
Thanks for the detailed info. Could you please provide the
Dogtag configuration for the default profile, `caIPAserviceCert'?
ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert
(Then provide the contents of caIPAserviceCert.cfg)
Could you also provide the contents of file
`/etc/pki/pki-tomcat/ca/CS.cfg'?
Regards,
Fraser
More information about the Freeipa-users
mailing list