Andrea Bontempi wrote:
This is incorrect. To validate a certificate you only need the CA public
keys, not the private ones. Only having the ipa-ca-agent key is right.
This is a temporary database, not the CA database. We are using this
cert to request some information about itself from the CA in this case.


You're right, I thought that the script use a temporary db to create the final 
database, but it's only to connect with sslget.

I think there is an issue with one of the CA certs but I've yet to
duplicate it or identify what is wrong. I'm still waiting on word back
from one of the NSS devs.


I did some tests: The error occurs when I use a CA managed by EJBCA, if I use a 
CA generated by openssl or nss everything works properly.

The problem is that i can't reproduce the bug in an external nss db... but 
maybe I don't follow the same steps that uses the installation script.

The problem has to do with the encoding of the subject and issuer fields.

The issue is one is encoded as a UTF8 string and the other is
encoded as a printable string. This makes the binary derSubject and
derIssuer fields different. NSS does not like derSubject and derIssuer
fields that are different

Server's raw der issuer:                        v
30 35 31 13 30 11 06 03 02 05 04 10 55 04 0a 13 < Note the 0x13->0x0c change here
  0a 44 42 4d 53 52 4c 2e 43 4f 4d 31 1e 30 1c 06
  03 02 05 04 03 55 04 03 13 15 43 65 72 74 69 66
  69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79

Issuer's raw der subject:                       V
  30 35 31 13 30 11 06 03 02 05 04 10 55 04 0a 0c <
  0a 44 42 4d 53 52 4c 2e 43 4f 4d 31 1e 30 1c 06
  03 02 05 04 03 55 04 03 0c 15 43 65 72 74 69 66
  69 63 61 74 65 20 41 75 74 68 6f 72 69 74 79

The NSS dev suggested issuing a new intermediate certificate using a Printable String for the the subject and everything else is the same. The problem is that this intermediate cert is issued by dogtag and I'm not sure if we have that level of control.

You can't restart a failed install, and if you try it again you'll end up with the same problem.

I've cc'd a dogtag developer to see if this can be handled via the profiles that dogtag uses to generate certificates.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to