Thank you so much for your support. Your comments set me on the right track. Namely that the problem wasn't on the IPA side but on the Windows side. The name of the template is 'SubCA' and with the following command, I was able to get the CSR signed; certreq -submit -attrib CertificateTemplate:SubCA
I could then get the cert installed into the IPA using; sudo ipa-cacert-manage renew --external-cert-file=./ipa.cer --external-cert-file=./Root-CA.cer The main problem here is that the CA certificate expired before I renewed it. That's by intent as I wanna try out the steps needed to remedy a situation as that as well as what to do when you renew the cert before it expires. Although it looks like the renewed cert has gotten installed, I'm still not able to login using the GUI; [jdoe@lab002 ~]$ ipa find user ipa: ERROR: cannot connect to 'https://lab002.labnet.org/ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED ] certificate verify failed: certificate has expired (_ssl.c:1129) [jdoe@lab002 ~]$ I tried running the following, it was successful, but the problem still persists; [jdoe@lab002 ~]$ sudo ipa-cert-fix The ipa-cert-fix command was successful [jdoe@lab002 ~]$ [jdoe@lab002 ~]$ sudo ipa-getcert list|egrep "status|subject|expires|stuck" status: CA_UNREACHABLE stuck: no subject: CN=lab002.labnet.org,O=IPA.LABNET.ORG expires: 2023-10-20 08:12:29 CEST status: CA_UNREACHABLE stuck: no subject: CN=lab002.labnet.org,O=IPA.LABNET.ORG expires: 2023-10-20 08:12:29 CEST status: CA_UNREACHABLE stuck: no subject: CN=lab002.labnet.org,O=IPA.LABNET.ORG expires: 2023-10-20 08:12:29 CEST [jdoe@lab002 ~]$ What am I missing or doing wrong? Den mån 4 sep. 2023 kl 08:27 skrev Alexander Bokovoy <aboko...@redhat.com>: > On Няд, 03 вер 2023, John Doe via FreeIPA-users wrote: > >I'm currently trying to evaluate if we may use IPA server to help manage > our park of Linux Clients > >When installing the IPA server I used the following commands; > >sudo ipa-server-install --external-ca --external-ca-type=ms-cs > >sudo ipa-server-install --external-cert-file=/home/$USER/ipa.cer > --external-cert-file=/home/$USER/certnew.cer > > > >Now when the CA certificate in Windows expired, I used Certificate > Authority Manager to renew the CA certificate. > >I'm now struggling trying to figure out how to renew the IPA certificate. > This is what I've tried; > >sudo ipa-cacert-manage --external-ca --external-ca-type ms-cs renew > > > >On the Windows server I'm forced to use the certreq command in CLI as the > GUI Manager only complains of the CSR being the wrong type. > >And I'm only having success in using the WebServer template. No other > templates works. And I'm assuming the SubordinateCertificationAuthority > template is the > >that should be used?; > >certreq -submit -attrib CertificateTemplate:WebServer > > You want to deploy a CA, not a web server, so you should be using the > right subCA template. > > Section 7.1 of RHEL IdM documentation for installing IdM tells about it: > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/assembly_installing-an-ipa-server-without-dns-with-external-ca_installing-identity-management > > ------- > In certain scenarios, the Active Directory (AD) administrator can use > the Subordinate Certification Authority (SCA) template, which is a > built-in template in AD CS, to create a unique template to better suit > the needs of the organization. The new template can, for example, have a > customized validity period and customized extensions. The associated > Object Identifier (OID) can be found in the AD Certificates Template > console. > > If the AD administrator has disabled the original, built-in template, > you must specify the OID or name of the new template when requesting a > certificate for your IdM CA. Ask your AD administrator to provide you > with the name or OID of the new template. > > If the original SCA AD CS template is still enabled, you can use it by > specifying --external-ca-type=ms-cs without additionally using the > --external-ca-profile option. In this case, the subCA external CA > profile is used, which is the default IdM template corresponding to the > SCA AD CS template. > ------- > > So most likely your SCA AD CS template got disabled by the admin? > > > > > >Back on the IPA server, I try installing the signed certificate; > >sudo ipa-cacert-manage renew --external-cert-file=./ipa.cer > --external-cert-file=./Root-CA.cer > > > >But this only complains on the cert missing som basic constraints. > >Comparing the CSR generated during the install of the IPA server and the > CSR generated with the ipa-cacert-manage renew command, > >I see that they differ in that the renew CSR is missing the .S.u.b.C.A > > > >Does anyone have any insights into what's missing in the procedure? > > Check configuration of your AD CS setup, may be built-in template for > subCA is disabled and not available anymore. > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
