Hi Flo,

On 12/8/17 10:52 AM, Florence Blanc-Renaud wrote:


Hi Harald,

the external CAs and FreeIPA CA must be stored in the LDAP server 
(cn=certificates,cn=ipa,cn=etc,$BASEDN). The correct procedure to add external 
CAs to the LDAP server is to run ipa-cacert-manage install.

ACK

You need first to have a clean state in the LDAP server. When all the required 
CAs are stored in LDAP with the right trust attribute, you can use 
ipa-certupdate to retrieve them and place them in the NSS databases and 
/etc/ipa/ca.crt.


The ipa Servers ipa1 and ipa2 are in sync, as reported by ipa-replica-manage
and ipa-csreplica-manage.

jxplorer shows me 3 certificates:

- the ipa ca certificate signed by the new root CA
- the old root CA certificate "cn=example Root CA, ..."
- the new root CA certificate "cn=root-CA, ..."

The old root CA certificate has much more attributes set than the
new one, esp. there is an attribute ipaKeyTrust set to "trusted",
and several other ipaKeyExtUsage attributes not set for the new
root CA certificate. Attached you can find the output of ldapsearch
for cn=certificates.

As you suggested, I used ipa-certupdate to deploy the new PKI, but
I wonder if the attributes for the new root CA certificate are set
correctly? Please note the "ipaKeyExtUsage: 1.3.6.1.4.1.3319.6.10.16"
set only for the new root CA cert.

Looking into the old and new root CA certs I see very similar x509v3
extensions. Do you think the new root certificate could be bad
internally?

If some certificates are manually added to the NSS databases but not present in 
the LDAP server, the next call to ipa-certupdate will remove them, this is why 
the state is not persistent.


I highly appreciate this central location.

If you want to completely remove an old root CA, you need to delete it from the 
LDAP server otherwise it will return on next call to ipa-certupdate.


AFAIU it is necessary to fix the attributes of the new root CA
certificate entry in LDAP first. Would you recommend to set the
lost ipaKeyExtUsage attributes?


Regards
Harri
# extended LDIF
#
# LDAPv3
# base <cn=certificates,cn=ipa,cn=etc,dc=example,dc=de> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# certificates, ipa, etc, example.de
dn: cn=certificates,cn=ipa,cn=etc,dc=example,dc=de
objectClass: nsContainer
objectClass: top
cn: certificates

# CN\3Dexample Root CA\2COU\3Dexample Certificate Authority\2CO\3Dexample 
AG\2CC\3DDE, certificates, ipa, etc, example.de
dn: cn=CN\3Dexample Root CA\2COU\3Dexample Certificate Authority\2CO\3Dexample 
AG\2CC\3DDE,cn=certificates,cn=ipa,cn=etc,dc=example,dc=de
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.2
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.3
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.4
cn: CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=example Root CA,OU=example Certificate Authority,O=example 
AG,C=DE
ipaPublicKey:: MIICIjAN...
cACertificate;binary:: MIIGGzCC...
ipaKeyTrust: trusted
ipaCertIssuerSerial: CN=example Root CA,OU=example Certificate 
Authority,O=example AG,C=DE;1

# EXAMPLE.DE IPA CA, certificates, ipa, etc, example.de
dn: cn=EXAMPLE.DE IPA CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=de
ipaConfigString: ipaCa
ipaCertSubject: CN=Certificate Authority,O=example AG,C=DE
ipaKeyTrust: trusted
cACertificate;binary:: MIIE9DCC...
ipaPublicKey:: MIIBIjAN...
ipaCertIssuerSerial: CN=root-CA,OU=example Certificate Authority,O=example 
AG,C=DE;4
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
cn: EXAMPLE.DE IPA CA
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.2
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.3
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.4
ipaKeyExtUsage: 1.3.6.1.5.2.3.5
ipaKeyExtUsage: 1.3.6.1.5.2.3.4

# CN\3Droot-CA\2COU\3Dexample Certificate Authority\2CO\3Dexample AG\2CC\3DDE, 
certificates, ipa, etc, example.de
dn: cn=CN\3Droot-CA\2COU\3Dexample Certificate Authority\2CO\3Dexample 
AG\2CC\3DDE,cn=certificates,cn=ipa,cn=etc,dc=example,dc=de
ipaKeyExtUsage: 1.3.6.1.4.1.3319.6.10.16
cn: CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE
ipaPublicKey:: MIICIjAN...
cACertificate;binary:: MIIGDTCC...
ipaCertIssuerSerial: CN=root-CA,OU=example Certificate Authority,O=example 
AG,C=DE;1

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to