Hello FreeIPA users!

We would like to give you a heads up about a OCSP/CRL certificate validation
issue introduced in FreeIPA 3.1 release (ticket 3074) we have discovered.

Certificates issued by FreeIPA server 3.1 and later contains 2 CRL/OCSP URIs
server by Dogtag CA configured by FreeIPA:

        Version: 3 (0x2)
        Serial Number: 17 (0x11)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=EXAMPLE.COM, CN=Certificate Authority
            Not Before: Apr  8 10:16:15 2013 GMT
            Not After : Apr  9 10:16:15 2015 GMT
        Subject: O=EXAMPLE.COM, CN=testcert.example.com
        X509v3 extensions:
            X509v3 Authority Key Identifier:

            Authority Information Access:
                OCSP - URI:https://ipa-ca.example.com/ca/ocsp
                OCSP - URI:https://server1.example.com/ca/ocsp

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                CRL Issuer:
                  DirName: O = ipaca, CN = Certificate Authority

                Full Name:
                CRL Issuer:
                  DirName: O = ipaca, CN = Certificate Authority

One OCSP/CRL URI points to the original CA issuing the certificate and one
points to a general URL (managed by FreeIPA) pointing to any other FreeIPA CA
via CNAME/A DNS record that can serve the OCSP/CRL URI in case if the original
FreeIPA CA was decommissioned or unavailable at the moment.

However, we have discovered that there are 2 issues related to this change:
1) Having https in the URIs requires client (e.g. a web browser) validating the
request to validate the machine serving the CRL/OCSP response itself even
though the CRL/OCSP response is already signed by the CA and thus verifiable.

Clients will fail to retrieve the CRL/OCSP in case of the general address as it
is just a CNAME for a FreeIPA server whose certificate does not allow it to
serve this address.

2) Even though we have 2 OCSP URIs in the certificate, the Firefox browser will
not fail over to the general URI due to limitation in NSS which only tries the
last OCSP and then fail when it is not available.

Issue 1) is being fixed by converting https in OCSP/CRL URIs to plain http as
the responses are already signed and verifiable. This will allow FreeIPA CAs to
serve the general URI ipa-ca.example.com.

Relevant upstream tickets:

When the issue is fixed in FreeIPA server, client certificates containing a
wrong OCSP/CRL URIs can be fixed by requesting new certificates from FreeIPA
CA. This task can be simplified by asking certmonger to request a new
certificate for given service ("ipa-getcert resubmit" command).

We plan to prepare a script automating this task on clients for your 

Issue 2) is more difficult to fix as it requires an enhancement to Firefox and
NSS to support an OCSP fail over when a certificates contains multiple OCSP
URIs. There is an open Mozilla Bugzilla with a request for this feature:


You are welcome to support our case and add your comments or use cases to this

If you have concerns or a question about this plan, please just add a comment.
We will inform you about our next steps.

Thank you.

Martin Kosek <mko...@redhat.com>
Senior Software Engineer - Identity Management Team
Red Hat Inc.

Freeipa-users mailing list

Reply via email to