[Freeipa-users] Re: CA Subsystem certificate

[Travis West via FreeIPA-users]

Over the weekend I was able to find the CA cert and matching key.  So I was 
able to generate a new certificate using these have them signed correctly.  
Here is how I did that (subsystem cert as an example)

CSR gen
openssl req -new -sha256 -key subsystem.key -subj "/CN=CA Subsystem 
/O=IPA.***.NET" -out subsystem.csr

Cert gen
openssl x509 -req  -in subsystem.csr -CA ca.crt -CAkey ca.key -set_serial 4 
-out subsystem.crt -days 3650 -sha256 -extfile openssl.cnf

create p12
openssl pkcs12  -export -out subsystem.p12 -inkey subsystem.key -in 
subsystem.crt -certfile ca.crt -name subsystemCert cert-pki-ca
import p12 to NSS DB
pk12util -d . -i subsystem.p12 -n "subsystemCert cert-pki-ca"

The 'extfile' contains some of the v3 attributes

$ cat openssl.cnf
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

keyUsage = critical, nonRepudiation, digitalSignature


This morning I imported the auditSigningCert, subsystemCert, and ocpsSigning 
certs to /etc/pki/pki-tomcat/alias and the trust attributes are correct.

Then I tried adding them back to certmonger for tracking, and they are now 
being tracked.
Request ID '20240401141044':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.****.NET
        subject: O="IPA.****.NET ",CN="CA Subsystem "
        expires: 2034-03-30 11:10:54 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20240401141327':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.****.NET
        subject: O="IPA.****.NET ",CN="OCSP Subsystem "
        expires: 2034-03-30 10:59:25 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20240401145826':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=IPA.****.NET
        subject: O="IPA.****.NET ",CN="CA Audit "
        expires: 2034-03-30 11:05:14 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes

However, after getting them tracked again, the NSS DB appears to have two 
copies (?)

# certutil -K -d .
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and 
Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa      d326b4d65770485d4e0652590101cb7327be0835   caSigningCert 
cert-pki-ca
< 1> rsa      f5544801e45007862e7593febbeba32c6931b100   subsystemCert 
cert-pki-ca
< 2> rsa      c13cdf1ff7588fbf7b8a25f7ce3e56d5ae0450cd   ocspSigningCert 
cert-pki-ca
< 3> rsa      99fffc1c7d251e95374aa15db210aa994c9452ef   NSS Certificate 
DB:Server-Cert cert-pki-ca
< 4> rsa      75ff858e34df66b838167a31c4d4e12ef76b0044   auditSigningCert 
cert-pki-ca
< 5> rsa      623e08407bf1fbace5146c7413e343935a987243   subsystemCert 
cert-pki-ca
< 6> rsa      2c62bcd9a61f0db2288c0e85c9c4f316793df98a   ocspSigningCert 
cert-pki-ca

But here only shows one, with correct trust attributes

# certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

subsystemCert cert-pki-ca                                    u,u,u
ocspSigningCert cert-pki-ca                                  u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu

I also updated the subsystemCert in LDAP so that matches (both cert and serial)

I am still unable to get pki-tomcat to start when I run 'ipactl start'  but if 
I check the service using systemctl it appears to be running

Clearly there is still something I'm missing.
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue