Hi Flo,

Is there anything I can do to help troubleshoot this issue? Or is there a
bugzilla issue I can watch?

Thanks,
Steve

On Wed, Dec 20, 2017 at 8:32 PM, Steve Dainard <sdain...@spd1.com> wrote:

>
>
> On Wed, Dec 20, 2017 at 12:53 AM, Florence Blanc-Renaud <f...@redhat.com>
> wrote:
>
>> On 12/19/2017 06:59 PM, Steve Dainard via FreeIPA-users wrote:
>>
>>> Hi Flo,
>>>
>>>
>>> On Tue, Dec 19, 2017 at 8:17 AM, Florence Blanc-Renaud <f...@redhat.com
>>> <mailto:f...@redhat.com>> wrote:
>>>
>>>     On 12/18/2017 08:54 PM, Steve Dainard via FreeIPA-users wrote:
>>>
>>>         Hello,
>>>
>>>         Using freeipa 4.5.
>>>
>>>         I've replaced an external root CA that had a very short key, and
>>>         have gone through the process of resigning the ipa
>>> intermediate-CA.
>>>
>>>         I've used ipa-cacert-manage to generate a new csr and have
>>>         signed it with my new external CA. The cert was successfully
>>>         imported.
>>>
>>>         I also ran ipa-certupdate on 2 of 2 ipa servers and I can see
>>>         the new CA listed on both ipa servers with 'certutil -L -d
>>>         /etc/pki/pki-tomcat/alias'
>>>
>>>         When I run 'ipa-getcert resubmit -n Server-Cert -d
>>>         /etc/httpd/alias' on an ipa server the certificate is
>>>         resubmitted, but its still being signed by the old ipa
>>>         intermediate-CA.
>>>
>>>     Hi,
>>>
>>>     you changed the external root CA when renewing IPA CA, meaning that
>>>     IPA CA has a new cert chain containing the ext root CA, but IPA CA
>>>     keeps the same subject name "CN=Certificate Authority,O=DOMAIN.COM
>>>     <http://DOMAIN.COM>".
>>>
>>>     The command resubmit asks IPA CA to renew the Server-Cert. So it is
>>>     expected that you see the same "old ipa intermediate CA" as issuer
>>>     of your Server-Cert for HTTPd.
>>>
>>>
>>> To double check I ran through the process of requesting an http cert on
>>> a new server, and indeed the Issuer CN is the same "CN=Certificate
>>> Authority,O=DOMAIN.COM <http://DOMAIN.COM>" (which makes sense from
>>> your answer). But when I look at the http cert I just requested, the IPA CA
>>> cert 'Issued CN' field is the old external CA.
>>>
>>> Hi,
>>
>> which command are you running to check the IPA CA cert issuer?
>>
>
> I hadn't trusted the new external root CA on my client browser so I
> expected a trust exception which I didn't encounter, so I just looked at
> the cert in the browser and noticed the ipa CA issuer CN was the old
> external ca.
>
>
>>
>> Flo
>>
>> To get my client cert I followed the process here:
>>> https://www.freeipa.org/page/PKI#Automated_certificate_reque
>>> sts_with_Certmonger. One of the first steps is to pull the ipa ca's
>>> into the nssdb. I have 4 certs in that file now which builds the chain for
>>> old ext ca/old ipa ca, new ext ca/new ipa ca. I don't think this has any
>>> impact on the cert request process but it does show that both chains are in
>>> ipa.
>>>
>>>
>>>
>>>         I also see in the web ui under Authentication -> Certificates ->
>>>         Certificate Authorities that only one ca named 'ipa' exists, and
>>>         I can see the Issuer DN is still the old root CA.
>>>
>>>
>>>     This is a bug tracked in issue 7316: The Issuer DN field in IPA is
>>>     not updating properly [1]. The webui and the command ipa ca-show ipa
>>>     read the issuer name from an LDAP entry that is not updated. But if
>>>     you look at the content of the certificate, you will be able to
>>>     check that the issuer is indeed the new external root CA.
>>>
>>>
>>>         How can I invalidate the old intermediate-CA so the new
>>>         intermediate-CA is used to sign certs going forwards?
>>>
>>>
>>>         Thanks,
>>>         Steve
>>>
>>>
>>>         _______________________________________________
>>>         FreeIPA-users mailing list --
>>>         freeipa-users@lists.fedorahosted.org
>>>         <mailto:freeipa-users@lists.fedorahosted.org>
>>>         To unsubscribe send an email to
>>>         freeipa-users-le...@lists.fedorahosted.org
>>>         <mailto:freeipa-users-le...@lists.fedorahosted.org>
>>>
>>>
>>>     HTH,
>>>     Flo
>>>
>>>     [1] https://pagure.io/freeipa/issue/7316
>>>     <https://pagure.io/freeipa/issue/7316>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>>> rahosted.org
>>>
>>>
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to