Hi Flo,

On 12/12/17 2:50 PM, Florence Blanc-Renaud via FreeIPA-users wrote:
On 12/10/2017 10:58 AM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo,

On 12/08/17 15:36, Florence Blanc-Renaud via FreeIPA-users wrote:

I would try to remove the new root CA from LDAP and re-import it using 
ipa-cacert-manage install -t C,,
This should create the entry with the appropriate attributes.

Result: The new root CA certificate shows much better attributes in ldap:

dn: cn=CN\3Droot-CA\2COU\3Dexample Certificate Authority\2CO\3Dexample 
cn: CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE
ipaPublicKey:: MIICIjAN...
cACertificate;binary:: MIIGDTCC...
ipaKeyTrust: trusted
ipaCertIssuerSerial: CN=root-CA,OU=example Certificate Authority,O=example 

A lot of ipaKeyExtUsage attributes appear to be missing, though, compared to the
old root CA certificate. Is this expected?

The ipaKeyExtUsage attribute is built from the trust flags provided to 
ipa-cacert-manage install, so it looks normal for me.

My concern is, it looks much more restricted than the old root CA

# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias

Certificate Nickname                                         Trust Attributes

Server-Cert cert-pki-ca                                      u,u,u
subsystemCert cert-pki-ca                                    u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE  C,,

Shouldn't it be "CT,C,C" as well?

ipa-certupdate needs to be run with a kerberos ticket. Did you run kinit admin 
before launching the command, and is your ticket still valid (klist will 
provide the expiration date)?

Nope, that was the problem. I was just looking for the certificate,
ignoring Kerberos.

ipa-cert-update said

# ipa-certupdate
trying https://ipa1.example.de/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://ipa1.example.de/ipa/json'
trying https://ipa1.example.de/ipa/json
[try 1]: Forwarding 'ca_is_enabled' to json server 
[try 1]: Forwarding 'ca_find/1' to json server 
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful

dmesg shows that there was a core dump:

[108604.869633] ns-slapd[23051]: segfault at 10 ip 00007fb60841dc30 sp 
00007fb60af56c88 error 4 in libpthread-2.17.so[7fb608414000+17000]

Problem: The certificate in /etc/ipa/ca.crt and /usr/share/ipa/html/\
ca.crt is still old. The files have been touched, but not replaced
by the new certificate.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to