On 12/19/2017 06:59 PM, Steve Dainard via FreeIPA-users wrote:
Hi Flo,


On Tue, Dec 19, 2017 at 8:17 AM, Florence Blanc-Renaud <f...@redhat.com <mailto:f...@redhat.com>> wrote:

    On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote:

        Hello,

        Using freeipa 4.5.

        I've replaced an external root CA that had a very short key, and
        have gone through the process of resigning the ipa intermediate-CA.

        I've used ipa-cacert-manage to generate a new csr and have
        signed it with my new external CA. The cert was successfully
        imported.

        I also ran ipa-certupdate on 2 of 2 ipa servers and I can see
        the new CA listed on both ipa servers with 'certutil -L -d
        /etc/pki/pki-tomcat/alias'

        When I run 'ipa-getcert resubmit -n Server-Cert -d
        /etc/httpd/alias' on an ipa server the certificate is
        resubmitted, but its still being signed by the old ipa
        intermediate-CA.

    Hi,

    you changed the external root CA when renewing IPA CA, meaning that
    IPA CA has a new cert chain containing the ext root CA, but IPA CA
    keeps the same subject name "CN=Certificate Authority,O=DOMAIN.COM
    <http://DOMAIN.COM>".

    The command resubmit asks IPA CA to renew the Server-Cert. So it is
    expected that you see the same "old ipa intermediate CA" as issuer
    of your Server-Cert for HTTPd.


To double check I ran through the process of requesting an http cert on a new server, and indeed the Issuer CN is the same "CN=Certificate Authority,O=DOMAIN.COM <http://DOMAIN.COM>" (which makes sense from your answer). But when I look at the http cert I just requested, the IPA CA cert 'Issued CN' field is the old external CA.

Hi,

which command are you running to check the IPA CA cert issuer?

Flo

To get my client cert I followed the process here: https://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger. One of the first steps is to pull the ipa ca's into the nssdb. I have 4 certs in that file now which builds the chain for old ext ca/old ipa ca, new ext ca/new ipa ca. I don't think this has any impact on the cert request process but it does show that both chains are in ipa.



        I also see in the web ui under Authentication -> Certificates ->
        Certificate Authorities that only one ca named 'ipa' exists, and
        I can see the Issuer DN is still the old root CA.


    This is a bug tracked in issue 7316: The Issuer DN field in IPA is
    not updating properly [1]. The webui and the command ipa ca-show ipa
    read the issuer name from an LDAP entry that is not updated. But if
    you look at the content of the certificate, you will be able to
    check that the issuer is indeed the new external root CA.


        How can I invalidate the old intermediate-CA so the new
        intermediate-CA is used to sign certs going forwards?


        Thanks,
        Steve


        _______________________________________________
        FreeIPA-users mailing list --
        freeipa-users@lists.fedorahosted.org
        <mailto:freeipa-users@lists.fedorahosted.org>
        To unsubscribe send an email to
        freeipa-users-le...@lists.fedorahosted.org
        <mailto:freeipa-users-le...@lists.fedorahosted.org>


    HTH,
    Flo

    [1] https://pagure.io/freeipa/issue/7316
    <https://pagure.io/freeipa/issue/7316>




_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to