I’m aware of the bug filed here but the work around as documented did not work:
Looking at this ticket:
It seems that it won’t be fixed until freeipa 4.5.
Is there any workaround currently in freeipa 4.2/4.3 to somehow manually
generate a CSR that can be recognized by Microsoft ?
the ipa-server-install was able to generate a CSR for rootCA signing if one
specifies --external-ca-type ms-cs, which works for MS AD CA.
but no such option exist for ipa-cacert-manage.
I’m trying to upgrade our current IPA installation from self-signed to be
signed by the CA operated by IT.
So I followed the procedure here to generate the CSR to be signed:
However, when I submitted the CSR to be signed, the Microsoft Windows 2012R2
ADCA rejected the CSR with this error:
Certificate not issued (Denied) Denied by Policy Module 0x80094800, The
request was for a certificate template that is not supported by the Active
olicy: ipaCSRExport/PANW_Subordinate Certification Authority.
The requested certificate template is not supported by this CA. 0x80094800
1401.5098.0:<2016/11/3, 11:11:3>: 0x80094800 (-2146875392
1401.5602.0:<2016/11/3, 11:11:3>: 0x80094800 (-2146875392
1401.16709.0:<2016/11/3, 11:11:3>: 0x80094800 (-2146875392
Certificate Request Processor: The requested certificate template is not
supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
Denied by Policy Module 0x80094800, The request was for a certificate template
that is not supported by the Active Directory Certificate Services policy:
nate Certification Authority.
here is the what CSR looks like(with keys taken out):
Version: 0 (0x0)
Subject: O=XYZ.LOCAL, CN=Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
friendlyName :unable to print attribute
X509v3 Key Usage:
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
X509v3 Subject Key Identifier:
Signature Algorithm: sha256WithRSAEncryption
I tried the workaround documented on the webpage and asked the CSR to be
process via command line certreq. Same error.
I’ve also tried this workaround:
where I manually generated the cert via certutil:
# echo -e -n '\x1E\x0A\x00\x53\x00\x75\x00\x62\x00\x43\x00\x41' >ext-value
# certutil -R -d /etc/pki/pki-tomcat/alias -f <(grep -Po '(?<=internal=).*'
/etc/pki/pki-tomcat/password.conf) -k 'caSigningCert cert-pki-ca'
--extGeneric=220.127.116.11.4.1.311.20.2:not-critical:ext-value -o ipa.csr -a
which didn’t work either.
I’m running IPA version 4.2.0 on Centos 7.2.1511
Also, If run the ipa-server-install –external-ca --external-ca-type ms-cs on a
test box, it’ll generate a CSR that works, the only difference been that the
X509V3 extentions are not there.
Exponent: 65537 (0x10001)
so I’m not sure if the same logic that’s used in ipa-server-install can be used
in ipa-cacert-manage to generate the renew CSR
Please help to generate a correct CSR for Microsoft Windows 2012R2 CA to
recognize and sign so I can chain the existing self-signed CA to it. Thanks.
Efficiency is Intelligent Laziness
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project