On Wed, Dec 20, 2017 at 12:53 AM, Florence Blanc-Renaud <f...@redhat.com> wrote:
> On 12/19/2017 06:59 PM, Steve Dainard via FreeIPA-users wrote: > >> Hi Flo, >> >> >> On Tue, Dec 19, 2017 at 8:17 AM, Florence Blanc-Renaud <f...@redhat.com >> <mailto:f...@redhat.com>> wrote: >> >> On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote: >> >> Hello, >> >> Using freeipa 4.5. >> >> I've replaced an external root CA that had a very short key, and >> have gone through the process of resigning the ipa >> intermediate-CA. >> >> I've used ipa-cacert-manage to generate a new csr and have >> signed it with my new external CA. The cert was successfully >> imported. >> >> I also ran ipa-certupdate on 2 of 2 ipa servers and I can see >> the new CA listed on both ipa servers with 'certutil -L -d >> /etc/pki/pki-tomcat/alias' >> >> When I run 'ipa-getcert resubmit -n Server-Cert -d >> /etc/httpd/alias' on an ipa server the certificate is >> resubmitted, but its still being signed by the old ipa >> intermediate-CA. >> >> Hi, >> >> you changed the external root CA when renewing IPA CA, meaning that >> IPA CA has a new cert chain containing the ext root CA, but IPA CA >> keeps the same subject name "CN=Certificate Authority,O=DOMAIN.COM >> <http://DOMAIN.COM>". >> >> The command resubmit asks IPA CA to renew the Server-Cert. So it is >> expected that you see the same "old ipa intermediate CA" as issuer >> of your Server-Cert for HTTPd. >> >> >> To double check I ran through the process of requesting an http cert on a >> new server, and indeed the Issuer CN is the same "CN=Certificate >> Authority,O=DOMAIN.COM <http://DOMAIN.COM>" (which makes sense from your >> answer). But when I look at the http cert I just requested, the IPA CA cert >> 'Issued CN' field is the old external CA. >> >> Hi, > > which command are you running to check the IPA CA cert issuer? > I hadn't trusted the new external root CA on my client browser so I expected a trust exception which I didn't encounter, so I just looked at the cert in the browser and noticed the ipa CA issuer CN was the old external ca. > > Flo > > To get my client cert I followed the process here: >> https://www.freeipa.org/page/PKI#Automated_certificate_reque >> sts_with_Certmonger. One of the first steps is to pull the ipa ca's into >> the nssdb. I have 4 certs in that file now which builds the chain for old >> ext ca/old ipa ca, new ext ca/new ipa ca. I don't think this has any impact >> on the cert request process but it does show that both chains are in ipa. >> >> >> >> I also see in the web ui under Authentication -> Certificates -> >> Certificate Authorities that only one ca named 'ipa' exists, and >> I can see the Issuer DN is still the old root CA. >> >> >> This is a bug tracked in issue 7316: The Issuer DN field in IPA is >> not updating properly [1]. The webui and the command ipa ca-show ipa >> read the issuer name from an LDAP entry that is not updated. But if >> you look at the content of the certificate, you will be able to >> check that the issuer is indeed the new external root CA. >> >> >> How can I invalidate the old intermediate-CA so the new >> intermediate-CA is used to sign certs going forwards? >> >> >> Thanks, >> Steve >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- >> freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org> >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org> >> >> >> HTH, >> Flo >> >> [1] https://pagure.io/freeipa/issue/7316 >> <https://pagure.io/freeipa/issue/7316> >> >> >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedo >> rahosted.org >> >> >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org