[Freeipa-users] any work around for generating CSR to be signed by Microsoft AD CA?
Frank Li
frli at paloaltonetworks.com
Thu Nov 3 23:58:15 UTC 2016
I’m aware of the bug filed here but the work around as documented did not work:
https://bugzilla.redhat.com/show_bug.cgi?id=1322963
Looking at this ticket:
https://fedorahosted.org/freeipa/ticket/5799
It seems that it won’t be fixed until freeipa 4.5.
Is there any workaround currently in freeipa 4.2/4.3 to somehow manually generate a CSR that can be recognized by Microsoft ?
the ipa-server-install was able to generate a CSR for rootCA signing if one specifies --external-ca-type ms-cs, which works for MS AD CA.
but no such option exist for ipa-cacert-manage.
details below:
I’m trying to upgrade our current IPA installation from self-signed to be signed by the CA operated by IT.
So I followed the procedure here to generate the CSR to be signed:
http://www.freeipa.org/page/V4/CA_certificate_renewal
However, when I submitted the CSR to be signed, the Microsoft Windows 2012R2 ADCA rejected the CSR with this error:
Certificate not issued (Denied) Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certi
olicy: ipaCSRExport/PANW_Subordinate Certification Authority.
The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
1401.5098.0:<2016/11/3, 11:11:3>: 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
1401.5602.0:<2016/11/3, 11:11:3>: 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
1401.16709.0:<2016/11/3, 11:11:3>: 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
Certificate Request Processor: The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: ipaCSREx
nate Certification Authority.
here is the what CSR looks like(with keys taken out):
Certificate Request:
Data:
Version: 0 (0x0)
Subject: O=XYZ.LOCAL, CN=Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
Attributes:
friendlyName :unable to print attribute
Requested Extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
C9:8C:B7:B1:9D:4B:02:E2:74:FD:59:3E:1C:FC:9C:C9:98:EE:81:BD
1.3.6.1.4.1.311.20.2:
...i.p.a.C.S.R.E.x.p.o.r.t
Signature Algorithm: sha256WithRSAEncryption
I tried the workaround documented on the webpage and asked the CSR to be process via command line certreq. Same error.
I’ve also tried this workaround:
https://bugzilla.redhat.com/show_bug.cgi?id=1322963
where I manually generated the cert via certutil:
# echo -e -n '\x1E\x0A\x00\x53\x00\x75\x00\x62\x00\x43\x00\x41' >ext-value
# certutil -R -d /etc/pki/pki-tomcat/alias -f <(grep -Po '(?<=internal=).*' /etc/pki/pki-tomcat/password.conf) -k 'caSigningCert cert-pki-ca' --extGeneric=1.3.6.1.4.1.311.20.2:not-critical:ext-value -o ipa.csr -a
which didn’t work either.
I’m running IPA version 4.2.0 on Centos 7.2.1511
ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64
Also, If run the ipa-server-install –external-ca --external-ca-type ms-cs on a test box, it’ll generate a CSR that works, the only difference been that the X509V3 extentions are not there.
Exponent: 65537 (0x10001)
Attributes:
a0:00
so I’m not sure if the same logic that’s used in ipa-server-install can be used in ipa-cacert-manage to generate the renew CSR
Please help to generate a correct CSR for Microsoft Windows 2012R2 CA to recognize and sign so I can chain the existing self-signed CA to it. Thanks.
--
Efficiency is Intelligent Laziness
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161103/c5be94dc/attachment.htm>
More information about the Freeipa-users
mailing list