On Чцв, 23 ліс 2023, KERVELLEC Joseph wrote:
Hello Alexander,
This is the RootCA certificate, i use :
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0a:[...]
Signature Algorithm: sha512WithRSAEncryption
Issuer: C = FR, ST = France, L = [...], O = [...], OU = [...], CN =
ROOT-CA, emailAddress = [...]
Validity
Not Before: May 7 12:30:59 2023 GMT
Not After : May 4 12:30:59 2033 GMT
Subject: C = FR, ST = France, L = [...], O = [...], OU = [...], CN =
ROOT-CA, emailAddress = [...]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
57:[...]
X509v3 Authority Key Identifier:
keyid:57:[...]
DirName:/C=FR/ST=France/L=[...]/O=[...]/OU=[...]/CN=ROOT-CA/emailAddress=[...]
serial:0A:[...]
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Cert Type:
S/MIME CA, Object Signing CA
X509v3 Issuer Alternative Name:
<EMPTY>
Netscape Comment:
ROOT-CA
X509v3 Subject Alternative Name:
email:[...]
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
There is a conflict between usages:
we expect
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
and no 'Netscape Cert Type' set
your cert has
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
and 'Netscape Cert Type' set to 'S/MIME CA, Object Signing CA'.
For CA to be able to issue certs, 'Netscape Cert Type' must include
NS_CERT_TYPE_SSL_CA bit. If 'Netscape Cert Type' is missing in the
certificate, nss library will use X509v3 key usage extensions to derive
required usages.
Here is a snippet from the NSS code:
-----------------------------------------------------------------------------
/*
* NS_CERT_TYPE defines are used in two areas:
* 1) The old NSS Cert Type Extension, which is a certificate extension in the
* actual cert. It was created before the x509 Extended Key Usage Extension,
* which has now taken over it's function. This field is only 8 bits wide
* 2) The nsCertType entry in the CERTCertificate structure. This field is
* 32 bits wide.
* Any entries in this table greater than 0x80 will not be able to be encoded
* in an NSS Cert Type Extension, but can still be represented internally in
* the nsCertType field.
*/
#define NS_CERT_TYPE_IPSEC_CA (0x200) /* outside the NS Cert Type
Extenstion */
#define NS_CERT_TYPE_IPSEC (0x100) /* outside the NS Cert Type
Extenstion */
#define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */
#define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */
#define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */
#define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */
#define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */
#define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */
#define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
#define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
-----------------------------------------------------------------------------
I would suggest you to talk back to your CA which issued this CA
certificate and ask them to issue a certificate without 'Netscape Cert
Type', only using x509 Extended Key Usage extensions for a CA.
Signature Algorithm: sha512WithRSAEncryption
Signature Value:
57:[...]
I hope this can help you.
Best regards,
Joseph KERVELLEC
-----Message d'origine-----
De : Alexander Bokovoy <[email protected]>
Envoyé : mercredi 22 novembre 2023 14:42
À : FreeIPA users list <[email protected]>
Cc : BRULE Yann <[email protected]>; DUCOT Vincent <[email protected]>;
KERVELLEC Joseph <[email protected]>
Objet : Re: [Freeipa-users] Install FreeIPA with own CA and SUBCA
On Срд, 22 ліс 2023, KERVELLEC Joseph via FreeIPA-users wrote:
Hello,
I am trying to install FreeIPA with my own CA and certutil reject my
RootCA (Certificate type not approuved for application).
The issue is when certutil verifies the RootCA with the certusage SSL
CA (option -u L). My rootCA does not include sslCA in nsscertype.
There is a way to install FreeIPA and change the certutil verification
(option -u to A instead of L) ?
I have tried multpile install:
- FreeIPA with all certificates (httpd, dirsrv, kerberos), reject me
with 'Certificate type not approuved for application'
- FreeIPA with external-ca and update the subject, reject me with the
emailAddress object
- FreeIPA with no certificate options and added my ROOTCA with
ipa-ca-install, reject me with 'Certificate type not approuved for
application'
Can you please provide an output from 'openssl x509 -text' command for your CA
certificate?
Something like the output below:
# openssl x509 -text -in /etc/ipa/ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = IPA1.TEST, CN = Certificate Authority
Validity
Not Before: Nov 17 09:41:07 2023 GMT
Not After : Nov 17 09:41:07 2043 GMT
Subject: O = IPA1.TEST, CN = Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:b6:c4:e0:7c:9d:98:ea:84:ec:b0:80:a8:91:d5:
b6:81:7a:e7:da:b2:04:a2:93:32:bf:78:56:9a:46:
17:7e:26:4f:f1:64:81:87:c0:32:1b:82:2d:4b:db:
d7:df:72:9f:79:6f:d7:49:1c:19:67:ba:c5:2b:de:
e0:b9:30:24:2b:32:5d:10:7e:a5:1f:d1:4d:5e:c2:
20:42:02:65:b9:df:bc:6a:24:98:70:1c:13:2b:1e:
61:0c:a0:46:28:b2:c9:f9:71:f1:c3:b3:cb:58:44:
ef:dd:5f:42:48:b1:df:6b:0b:4c:ef:c6:5e:c4:61:
1f:23:de:17:f5:4e:f4:44:b9:05:4f:32:cf:8d:f8:
23:be:23:37:7c:ba:5a:63:14:30:84:aa:eb:3c:98:
6f:76:56:55:c9:70:c6:8b:8f:76:f4:f0:ba:a8:3c:
0e:ad:10:f0:a0:3a:dd:ae:fd:39:e2:88:0d:d8:62:
ca:b9:04:37:dd:80:c7:56:f0:86:32:9c:ba:4b:2e:
d0:58:85:4d:17:56:5f:18:30:a1:45:60:5a:cd:a3:
4c:5d:bf:df:74:6b:28:7a:f2:f1:c5:3d:0a:92:1b:
a5:10:cb:5b:c0:37:e5:68:3f:7b:92:a9:43:98:3f:
73:27:ad:92:75:00:2f:b9:0f:38:4a:e3:ce:2e:a3:
ad:17:74:5c:6a:91:1a:16:4c:35:95:08:21:e4:41:
fb:c1:b3:f9:1f:fe:4f:ff:77:d9:af:43:34:7c:fb:
8c:20:8e:c9:46:8e:b7:13:1f:11:da:d5:b3:6a:75:
0b:ce:9d:17:0a:f2:15:e8:1d:f9:97:cb:98:2d:5a:
d4:62:6b:6e:3d:2f:2d:44:89:f7:12:56:31:4e:54:
d3:59:79:c4:e3:00:2a:e6:97:cb:57:f3:ba:34:7c:
65:67:5c:f6:1d:db:94:f8:56:13:e2:f6:be:5e:3f:
32:b5:56:3e:1f:79:4a:eb:0e:61:4f:fe:04:e5:3b:
5e:32:56:47:1e:2e:b2:b3:1b:3b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
33:6B:18:3D:65:BC:54:CF:3D:C0:25:21:FF:B9:BD:A3:17:FB:DE:BF
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
33:6B:18:3D:65:BC:54:CF:3D:C0:25:21:FF:B9:BD:A3:17:FB:DE:BF
Authority Information Access:
OCSP - URI:http://ipa-ca.ipa1.test/ca/ocsp
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
4f:2b:db:0e:7c:0c:e8:fd:68:3d:5d:f2:bc:5b:f2:68:56:ae:
8d:38:88:a6:cc:c6:24:ff:c3:68:26:41:4c:cc:c8:b6:c9:40:
83:56:d1:71:9f:9c:95:3c:ae:95:23:e9:0f:72:e7:51:a7:b5:
03:22:1a:56:04:ca:ab:2b:72:bc:0d:40:bf:0e:11:c7:49:05:
f0:82:60:dd:4b:80:e9:f8:2c:5e:d5:98:c7:71:d1:48:6c:c8:
3a:da:78:85:4a:49:43:26:95:53:18:43:28:28:fa:26:05:e8:
9a:cc:f1:04:fa:60:7b:59:7f:f3:3f:d3:35:03:7c:f5:c0:d8:
89:ba:9d:ea:11:0d:08:48:95:1d:c8:25:2a:ae:dc:91:6e:a9:
d3:e8:77:dd:ce:14:42:d7:85:9b:dc:26:b7:0a:04:ca:de:db:
4a:29:5c:10:8f:10:1d:7a:ed:cd:e7:7f:9c:2b:62:2b:58:f4:
99:40:b4:3c:58:6f:4e:38:b0:79:59:9d:aa:b6:c8:d6:ea:73:
f7:c2:6e:d5:63:09:53:3b:f3:1e:68:44:4b:52:58:00:46:66:
2f:54:a1:20:dd:84:5b:fc:d9:7c:49:01:f3:43:a0:69:de:19:
1b:b1:1d:ae:14:67:b3:06:b3:f7:5f:b1:4a:f5:b4:f5:49:f5:
7c:08:80:42:0c:9d:c4:01:c2:68:89:c2:ee:64:35:6e:21:5a:
c6:5a:7a:c9:f3:44:cb:66:2a:ca:80:a3:7d:75:71:2b:85:ab:
71:d1:01:73:24:d4:f3:ce:85:34:e8:e2:60:78:53:8b:0d:5a:
47:85:83:1b:25:de:7f:75:75:c5:d6:27:15:1d:a8:2c:c0:34:
ea:74:d4:9b:d5:06:d1:f5:59:35:10:ad:e1:b7:74:07:35:23:
82:f5:ac:81:7c:a9:27:6e:c0:58:42:70:94:b6:b4:c5:c8:fa:
88:87:ca:e3:5a:11:15:0c:2f:a9:81:53:d4:93:d0:39:d5:da:
26:4e:14:4b:26:68
-----BEGIN CERTIFICATE-----
MIIEhTCCAu2gAwIBAgIBATANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEx
LlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMzExMTcw
OTQxMDdaFw00MzExMTcwOTQxMDdaMDQxEjAQBgNVBAoMCUlQQTEuVEVTVDEeMBwG
A1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBojANBgkqhkiG9w0BAQEFAAOC
AY8AMIIBigKCAYEAtsTgfJ2Y6oTssICokdW2gXrn2rIEopMyv3hWmkYXfiZP8WSB
h8AyG4ItS9vX33KfeW/XSRwZZ7rFK97guTAkKzJdEH6lH9FNXsIgQgJlud+8aiSY
cBwTKx5hDKBGKLLJ+XHxw7PLWETv3V9CSLHfawtM78ZexGEfI94X9U70RLkFTzLP
jfgjviM3fLpaYxQwhKrrPJhvdlZVyXDGi4929PC6qDwOrRDwoDrdrv054ogN2GLK
uQQ33YDHVvCGMpy6Sy7QWIVNF1ZfGDChRWBazaNMXb/fdGsoevLxxT0KkhulEMtb
wDflaD97kqlDmD9zJ62SdQAvuQ84SuPOLqOtF3RcapEaFkw1lQgh5EH7wbP5H/5P
/3fZr0M0fPuMII7JRo63Ex8R2tWzanULzp0XCvIV6B35l8uYLVrUYmtuPS8tRIn3
ElYxTlTTWXnE4wAq5pfLV/O6NHxlZ1z2HduU+FYT4va+Xj8ytVY+H3lK6w5hT/4E
5TteMlZHHi6ysxs7AgMBAAGjgaEwgZ4wHwYDVR0jBBgwFoAUM2sYPWW8VM89wCUh
/7m9oxf73r8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0O
BBYEFDNrGD1lvFTPPcAlIf+5vaMX+96/MDsGCCsGAQUFBwEBBC8wLTArBggrBgEF
BQcwAYYfaHR0cDovL2lwYS1jYS5pcGExLnRlc3QvY2Evb2NzcDANBgkqhkiG9w0B
AQsFAAOCAYEATyvbDnwM6P1oPV3yvFvyaFaujTiIpszGJP/DaCZBTMzItslAg1bR
cZ+clTyulSPpD3LnUae1AyIaVgTKqytyvA1Avw4Rx0kF8IJg3UuA6fgsXtWYx3HR
SGzIOtp4hUpJQyaVUxhDKCj6JgXomszxBPpge1l/8z/TNQN89cDYibqd6hENCEiV
HcglKq7ckW6p0+h33c4UQteFm9wmtwoEyt7bSilcEI8QHXrtzed/nCtiK1j0mUC0
PFhvTjiweVmdqrbI1upz98Ju1WMJUzvzHmhES1JYAEZmL1ShIN2EW/zZfEkB80Og
ad4ZG7EdrhRnswaz91+xSvW09Un1fAiAQgydxAHCaInC7mQ1biFaxlp6yfNEy2Yq
yoCjfXVxK4WrcdEBcyTU886FNOjiYHhTiw1aR4WDGyXef3V1xdYnFR2oLMA06nTU
m9UG0fVZNRCt4bd0BzUjgvWsgXypJ27AWEJwlLa0xcj6iIfK41oRFQwvqYFT1JPQ
OdXaJk4USyZo
-----END CERTIFICATE-----
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
