[Freeipa-users] DNS SubjectAltName missing in provisioned certificates

Fraser Tweedale ftweedal at redhat.com
Thu Mar 31 07:41:57 UTC 2016 

On Sun, Mar 27, 2016 at 09:14:47PM +0200, Martin Štefany wrote:
> Hello,
> 
> I seem to be having some issues with IPA CA feature not generating
> certificates with DNS SubjectAltNames.
> 
> I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now under
> CentOS 7.2 / IPA 4.2 something's different.
> 
> Here are the original steps which worked fine for my first use case ::
> 
> $ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25
> $ ipa host-add mail.example.com
> $ ipa service-add smtp/mail.example.com
> $ ipa service-add smtp/mail1.example.com
> $ ipa service-add-host smtp/mail.example.com --hosts=mail1.example.com
> $ ipa-getcert request -k /etc/pki/tls/private/postfix.key \
>                       -f /etc/pki/tls/certs/postfix.pem   \
>                       -N CN=mail1.example.com,O=EXAMPLE.COM \
>                       -D mail1.example.com -D mail.example.com \
>                       -K smtp/mail1.example.com
> (and repeat for every next member of the cluster...)
> 
> After this, I would get certificate with something like ::
> $ sudo ipa-getcert list
> Number of certificates and requests being tracked: 3.
> Request ID '20150419153933':
> 	status: MONITORING
> 	stuck: no
> 	key pair storage:
> type=FILE,location='/etc/pki/tls/private/postfix.key'
> 	certificate: type=FILE,location='/etc/pki/tls/certs/postfix.pem'
> 	CA: IPA
> 	issuer: CN=Certificate Authority,O=EXAMPLE.COM
> 	subject: CN=mail1.example.com,O=EXAMPLE.COM
> 	expires: 2017-04-19 15:39:35 UTC
> 	dns: mail1.example.com,mail.example.com
> 	principal name: smtp/mail1.example.com at EXAMPLE.COM
> 	key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> 	eku: id-kp-serverAuth,id-kp-clientAuth
> 	pre-save command: 
> 	post-save command: 
> 	track: yes
> 	auto-renew: yes
> 
> with Subject line in form of: 'CN=<hostname>,O=EXAMPLE.COM' and 'dns'
> info line present.
> 
> Suddenly, in the current setup, after upgrade from 4.0 to 4.2, I'm
> getting this ::
> 
> $ ipa dnsrecord-add example.com w3 --a-ip=172.17.17.80 --a-create-
> reverse
> $ ipa host-add w3.example.com
> $ ipa service-add HTTP/w3.example.com
> $ ipa service-add HTTP/http1.example.com
> $ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com
> $ ipa-getcert request -k /etc/pki/tls/private/httpd.key \
>                       -f /etc/pki/tls/certs/httpd.pem   \
>                       -N CN=http1.example.com,O=EXAMPLE.COM \
>                       -D http1.example.com -D w3.example.com \
>                       -K HTTP/http1.example.com
> $ sudo ipa-getcert list
> Number of certificates and requests being tracked: 3.
> Request ID '20160327095125':
> 	status: MONITORING
> 	stuck: no
> 	key pair storage:
> type=FILE,location='/etc/pki/tls/private/http.key'
> 	certificate: type=FILE,location='/etc/pki/tls/certs/http.pem'
> 	CA: IPA
> 	issuer: CN=Certificate Authority,O=EXAMPLE.COM
> 	subject: CN=http1.example.com,OU=pki-ipa,O=IPA
> 	expires: 2018-03-28 09:51:27 UTC
> 	key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> 	eku: id-kp-serverAuth,id-kp-clientAuth
> 	pre-save command: 
> 	post-save command: 
> 	track: yes
> 	auto-renew: yes
> 
> Where's the 'CN=<hostname>,OU=pki-ipa,O=IPA' coming from instead of
> 'CN=<hostname>,O=EXAMPLE.COM' and why are DNS SubjectAltNames missing?
> 
> To be clear, if I don't do ::
> $ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com
> 
> then certificate is just not issued with 'REJECTED', but once this is
> done properly in described steps, DNS SANs are not happening.
> 
> I've tried ipa-getcert from both CentOS 7.2 and Fedora 23, but only
> against my current IPA 4.2 on CentOS 7.2.
> 
> For the actual certificates ::
> $ sudo openssl x509 -in /etc/pki/tls/certs/postfix.pem -noout -text
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 15 (0xf)
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: O=EXAMPLE.COM, CN=Certificate Authority
>         Validity
>             Not Before: Apr 19 15:39:35 2015 GMT
>             Not After : Apr 19 15:39:35 2017 GMT
>         Subject: O=EXAMPLE.COM, CN=mail1.example.com
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                     [cut]
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Authority Key Identifier: 
>                 keyid:[cut]
> 
>             Authority Information Access: 
>                 OCSP - URI:http://ipa-ca.example.com/ca/ocsp
> 
>             X509v3 Key Usage: critical
>                 Digital Signature, Non Repudiation, Key Encipherment,
> Data Encipherment
>             X509v3 Extended Key Usage: 
>                 TLS Web Server Authentication, TLS Web Client
> Authentication
>             X509v3 CRL Distribution Points: 
> 
>                 Full Name:
>                   URI:http://ipa-ca.example.com/ipa/crl/MasterCRL.bin
>                 CRL Issuer:
>                   DirName: O = ipaca, CN = Certificate Authority
> 
>             X509v3 Subject Key Identifier: 
>                 [cut]
>             X509v3 Subject Alternative Name: 
>                 DNS:mail1.example.com, DNS:mail.example.com,
> othername:<unsupported>, othername:<unsupported>
>     Signature Algorithm: sha256WithRSAEncryption
>          [cut]
> 
> vs.
> 
> $ sudo openssl x509 -in /etc/pki/tls/certs/http.pem -text -noout
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 71 (0x47)
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: O=EXAMPLE.COM, CN=Certificate Authority
>         Validity
>             Not Before: Mar 27 09:51:27 2016 GMT
>             Not After : Mar 28 09:51:27 2018 GMT
>         Subject: O=IPA, OU=pki-ipa, CN=http1.example.com
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                     [cut]
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Authority Key Identifier: 
>                 keyid:[cut]
> 
>             Authority Information Access: 
>                 OCSP - URI:http://idmc1.example.com:80/ca/ocsp
> 
>             X509v3 Key Usage: critical
>                 Digital Signature, Non Repudiation, Key Encipherment,
> Data Encipherment
>             X509v3 Extended Key Usage: 
>                 TLS Web Server Authentication, TLS Web Client
> Authentication
>     Signature Algorithm: sha256WithRSAEncryption
>          [cut]
> 
> so even reference to CRL is missing here, but OCSP is present.
> 
> 
> Sorry if this is duplicate, but from what I was able to find, DNS
> SubjectAltNames are reported working since CentOS 7.1, and I think I'm
> consistent with http://www.freeipa.org/page/PKI, unless I miss something
> obvious here.
> 
> For new features like certificate profiles and ACLs, I haven't changed
> any defaults as far as I know as there was no need for that.
> 
> 
> Thank you for any support in advance! And Happy Easter!
> 
> Martin

Hi Martin,

Thanks for the detailed info.  Could you please provide the
Dogtag configuration for the default profile, `caIPAserviceCert'?

    ipa certprofile-show --out caIPAserviceCert.cfg caIPAserviceCert

(Then provide the contents of caIPAserviceCert.cfg)

Could you also provide the contents of file
`/etc/pki/pki-tomcat/ca/CS.cfg'?

Regards,
Fraser

More information about the Freeipa-users mailing list