[Freeipa-users] Configuring freeipa 4.4 as a subCA to in-house rootCA : ERROR IPA CA certificate not found in

Tomas Krizek tkrizek at redhat.com
Mon Mar 27 17:20:23 UTC 2017 

On 03/27/2017 06:19 PM, System Administration Team wrote:
> [root at ipa certs]# openssl req -in /root/ipa.csr -noout -text
> Certificate Request:
>     Data:
>         Version: 0 (0x0)
>         Subject: mail=<REMOVED>, C=US, ST=Mississippi, L=Starkville, O=Camgian Microsystems, OU=IT, CN=Certificate Authority
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                     <REMOVED FOR BREVITY>
>                 Exponent: 65537 (0x10001)
>         Attributes:
>         Requested Extensions:
>             X509v3 Basic Constraints: critical
>                 CA:TRUE
>             X509v3 Key Usage: critical
>                 Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
>     Signature Algorithm: sha256WithRSAEncryption
>          <REMOVED FOR BREVITY>
> [root at ipa certs]#
>
> Sign ipa.csr
>
> root at rootCA:~/ca# openssl ca -config openssl.cnf -policy policy_loose -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in /home/camgian/ipa.csr -out intermediate/certs/ipa.cert.pem Using configuration from openssl.cnf Enter pass phrase for /root/ca/private/ca.key.pem:
> Check that the request matches the signature Signature ok Certificate Details:
>         Serial Number: 4099 (0x1003)
>         Validity
>             Not Before: Mar 27 15:49:18 2017 GMT
>             Not After : Mar 25 15:49:18 2027 GMT
>         Subject:
>             countryName               = US
>             stateOrProvinceName       = Mississippi
>             localityName              = Starkville
>             organizationName          = Camgian Microsystems
>             organizationalUnitName    = IT
>             commonName                = Certificate Authority
The signed certificate's Subject field seems to be missing the
mail=<REMOVED>. Perhaps the signing rules do not permit this field?
> [root at ipa certs]# ipa-server-install --domain=camgian.com --hostname=ipa.camgian.com --realm=CAMGIAN.COM --subject 'OU=IT,O=Camgian Microsystems,L=Starkville,ST=Mississippi,C=US,mail=<REMOVED>' --external-cert-file=/etc/pki/tls/certs/ipa.cert.pem --external-cert-file=/etc/pki/tls/certs/ca.cert.pem
I believe you can't force IPA to use a different subject at the second
step of setting up external CA. I think it's only used to generate the
CSR in the first step.
> ipa.ipapython.install.cli.install_tool(Server): ERROR    IPA CA certificate not found in /etc/pki/tls/certs/ipa.cert.pem, /etc/pki/tls/certs/ca.cert.pem
> ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The installation most likely fails because mail=<REMOVED> is expected to
be a part of the signed certificate's subject field.

-- 
Tomas Krizek

PGP: 4A8B A48C 2AED 933B D495  C509 A1FB A5F7 EF8C 4869


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170327/d1131a6a/attachment.sig>

More information about the Freeipa-users mailing list