On Няд, 03 вер 2023, John Doe via FreeIPA-users wrote:
I'm currently trying to evaluate if we may use IPA server to help manage our
park of Linux Clients
When installing the IPA server I used the following commands;
sudo ipa-server-install --external-ca --external-ca-type=ms-cs
sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer
--external-cert-file=/home/$USER/certnew.cer
Now when the CA certificate in Windows expired, I used Certificate Authority
Manager to renew the CA certificate.
I'm now struggling trying to figure out how to renew the IPA certificate. This
is what I've tried;
sudo ipa-cacert-manage --external-ca --external-ca-type ms-cs renew
On the Windows server I'm forced to use the certreq command in CLI as the GUI
Manager only complains of the CSR being the wrong type.
And I'm only having success in using the WebServer template. No other templates
works. And I'm assuming the SubordinateCertificationAuthority template is the
that should be used?;
certreq -submit -attrib CertificateTemplate:WebServer
You want to deploy a CA, not a web server, so you should be using the
right subCA template.
Section 7.1 of RHEL IdM documentation for installing IdM tells about it:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/assembly_installing-an-ipa-server-without-dns-with-external-ca_installing-identity-management
-------
In certain scenarios, the Active Directory (AD) administrator can use
the Subordinate Certification Authority (SCA) template, which is a
built-in template in AD CS, to create a unique template to better suit
the needs of the organization. The new template can, for example, have a
customized validity period and customized extensions. The associated
Object Identifier (OID) can be found in the AD Certificates Template
console.
If the AD administrator has disabled the original, built-in template,
you must specify the OID or name of the new template when requesting a
certificate for your IdM CA. Ask your AD administrator to provide you
with the name or OID of the new template.
If the original SCA AD CS template is still enabled, you can use it by
specifying --external-ca-type=ms-cs without additionally using the
--external-ca-profile option. In this case, the subCA external CA
profile is used, which is the default IdM template corresponding to the
SCA AD CS template.
-------
So most likely your SCA AD CS template got disabled by the admin?
Back on the IPA server, I try installing the signed certificate;
sudo ipa-cacert-manage renew --external-cert-file=./ipa.cer
--external-cert-file=./Root-CA.cer
But this only complains on the cert missing som basic constraints.
Comparing the CSR generated during the install of the IPA server and the CSR
generated with the ipa-cacert-manage renew command,
I see that they differ in that the renew CSR is missing the .S.u.b.C.A
Does anyone have any insights into what's missing in the procedure?
Check configuration of your AD CS setup, may be built-in template for
subCA is disabled and not available anymore.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
