Trying to install freeIPA and have it a sub-ca of an existing one. Sadly
I'm not getting anywhere.

The version I have installed:

This is what I run:

ipa-server-install -U -a testtest -p testtest
 --external_cert_file=/root/server.pem  --external_ca_file=/root/cacert.pem
-p testtest  -P testtest   -r MELTWATER.COM

Which runs this as part of the process:

/usr/bin/pkisilent ConfigureCA -cs_hostname
vagrant-centos-6.meltwater.com-cs_port 9445 -client_certdb_dir
/tmp/tmp-bOrwSu -client_certdb_pwd
testtest -preop_pin 4hdia3IvPvf27Qo7kBbO -domain_name IPA -admin_user admin
-admin_email root@localhost -admin_password testtest -agent_name
ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject
CN=ipa-ca-agent,O=MELTWATER.COM -ldap_host
vagrant-centos-6.meltwater.com-ldap_port 7389 -bind_dn cn="Directory
Manager" -bind_password testtest
-base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm
SHA256withRSA -save_p12 true -backup_pwd testtest -subsystem_name pki-cad
-token_name internal -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=
MELTWATER.COM" -ca_subsystem_cert_subject_name "CN=CA Subsystem,O=
MELTWATER.COM" -ca_ocsp_cert_subject_name "CN=OCSP Subsystem,O=MELTWATER.COM"
-ca_server_cert_subject_name CN=vagrant-centos-6.meltwater.com,O=
MELTWATER.COM -ca_audit_signing_cert_subject_name "CN=CA Audit,O=
MELTWATER.COM" -ca_sign_cert_subject_name "CN=Certificate Authority,O=
MELTWATER.COM" -external true -ext_ca_cert_file /root/server.pem
-ext_ca_cert_chain_file /root/cacert.pem

All this results in this in the log:
  <errorString>Failed to create pkcs12 file.</errorString>
Error in BackupPanel(): updateStatus value is null
ERROR: ConfigureCA: BackupPanel() failure
ERROR: unable to create CA

Interestingly adding the option -save_p12 false to the pkisilent command
above results in:

importCert string: importing with nickname: ipa-ca-agent
Already logged into to DB
ERROR:exception importing cert Security library failed to decode
certificate package: (-8183) security library: improperly formatted
DER-encoded message.
ERROR: AdminCertImportPanel() during cert import
ERROR: ConfigureCA: AdminCertImportPanel() failure
ERROR: unable to create CA

While the option change seemed innocent, I honestly don't know if its
crucial to the install or not. Anyhow, things don't really progress anyway.

I followed the documentation by signing the /root/ipa.csr with a test,
internal CA but somehow I can't get the install to proceed.

[root@vagrant-centos-6 CA]# cat /root/server.pem
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops,
            Not Before: Nov  6 05:12:09 2013 GMT
            Not After : Nov  6 05:12:09 2014 GMT
        Subject: O=MELTWATER.COM, CN=Certificate Authority

[root@vagrant-centos-6 CA]# cat /root/cacert.pem

Any help would be welcome.

William Leese
Production Engineer,
Operations, Asia Pacific
Meltwater Group
m: +81 80 4946 0329
skype: william.leese1
w: meltwater.com

This email and any attachment(s) is intended for and confidential to the
addressee. If you are neither the addressee nor an authorized recipient for
the addressee, please notify us of receipt, delete this message from your
system and do not use, copy or disseminate the information in, or attached
to it, in any way. Our messages are checked for viruses but please note
that we do not accept liability for any viruses which may be transmitted in
or with this message.
Freeipa-users mailing list

Reply via email to