Hi Flo,

On Tue, Dec 19, 2017 at 8:17 AM, Florence Blanc-Renaud <f...@redhat.com>
wrote:

> On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote:
>
>> Hello,
>>
>> Using freeipa 4.5.
>>
>> I've replaced an external root CA that had a very short key, and have
>> gone through the process of resigning the ipa intermediate-CA.
>>
>> I've used ipa-cacert-manage to generate a new csr and have signed it with
>> my new external CA. The cert was successfully imported.
>>
>> I also ran ipa-certupdate on 2 of 2 ipa servers and I can see the new CA
>> listed on both ipa servers with 'certutil -L -d /etc/pki/pki-tomcat/alias'
>>
>> When I run 'ipa-getcert resubmit -n Server-Cert -d /etc/httpd/alias' on
>> an ipa server the certificate is resubmitted, but its still being signed by
>> the old ipa intermediate-CA.
>>
>> Hi,
>
> you changed the external root CA when renewing IPA CA, meaning that IPA CA
> has a new cert chain containing the ext root CA, but IPA CA keeps the same
> subject name "CN=Certificate Authority,O=DOMAIN.COM".
>
> The command resubmit asks IPA CA to renew the Server-Cert. So it is
> expected that you see the same "old ipa intermediate CA" as issuer of your
> Server-Cert for HTTPd.


To double check I ran through the process of requesting an http cert on a
new server, and indeed the Issuer CN is the same "CN=Certificate
Authority,O=DOMAIN.COM" (which makes sense from your answer). But when I
look at the http cert I just requested, the IPA CA cert 'Issued CN' field
is the old external CA.

To get my client cert I followed the process here:
https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger.
One of the first steps is to pull the ipa ca's into the nssdb. I have 4
certs in that file now which builds the chain for old ext ca/old ipa ca,
new ext ca/new ipa ca. I don't think this has any impact on the cert
request process but it does show that both chains are in ipa.


>


>
> I also see in the web ui under Authentication -> Certificates ->
>> Certificate Authorities that only one ca named 'ipa' exists, and I can see
>> the Issuer DN is still the old root CA.
>>
>
> This is a bug tracked in issue 7316: The Issuer DN field in IPA is not
> updating properly [1]. The webui and the command ipa ca-show ipa read the
> issuer name from an LDAP entry that is not updated. But if you look at the
> content of the certificate, you will be able to check that the issuer is
> indeed the new external root CA.
>
>
>> How can I invalidate the old intermediate-CA so the new intermediate-CA
>> is used to sign certs going forwards?
>>
>>
>> Thanks,
>> Steve
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
>>
> HTH,
> Flo
>
> [1] https://pagure.io/freeipa/issue/7316
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to