I’m aware of the bug filed here but the work around as documented did not work: https://bugzilla.redhat.com/show_bug.cgi?id=1322963
Looking at this ticket: https://fedorahosted.org/freeipa/ticket/5799 It seems that it won’t be fixed until freeipa 4.5. Is there any workaround currently in freeipa 4.2/4.3 to somehow manually generate a CSR that can be recognized by Microsoft ? the ipa-server-install was able to generate a CSR for rootCA signing if one specifies --external-ca-type ms-cs, which works for MS AD CA. but no such option exist for ipa-cacert-manage. details below: I’m trying to upgrade our current IPA installation from self-signed to be signed by the CA operated by IT. So I followed the procedure here to generate the CSR to be signed: http://www.freeipa.org/page/V4/CA_certificate_renewal However, when I submitted the CSR to be signed, the Microsoft Windows 2012R2 ADCA rejected the CSR with this error: Certificate not issued (Denied) Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certi olicy: ipaCSRExport/PANW_Subordinate Certification Authority. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE) 1401.5098.0:<2016/11/3, 11:11:3>: 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE) 1401.5602.0:<2016/11/3, 11:11:3>: 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE) 1401.16709.0:<2016/11/3, 11:11:3>: 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE) Certificate Request Processor: The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE) Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: ipaCSREx nate Certification Authority. here is the what CSR looks like(with keys taken out): Certificate Request: Data: Version: 0 (0x0) Subject: O=XYZ.LOCAL, CN=Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: Attributes: friendlyName :unable to print attribute Requested Extensions: X509v3 Key Usage: Digital Signature, Non Repudiation, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: C9:8C:B7:B1:9D:4B:02:E2:74:FD:59:3E:1C:FC:9C:C9:98:EE:81:BD 1.3.6.1.4.1.311.20.2: ...i.p.a.C.S.R.E.x.p.o.r.t Signature Algorithm: sha256WithRSAEncryption I tried the workaround documented on the webpage and asked the CSR to be process via command line certreq. Same error. I’ve also tried this workaround: https://bugzilla.redhat.com/show_bug.cgi?id=1322963 where I manually generated the cert via certutil: # echo -e -n '\x1E\x0A\x00\x53\x00\x75\x00\x62\x00\x43\x00\x41' >ext-value # certutil -R -d /etc/pki/pki-tomcat/alias -f <(grep -Po '(?<=internal=).*' /etc/pki/pki-tomcat/password.conf) -k 'caSigningCert cert-pki-ca' --extGeneric=1.3.6.1.4.1.311.20.2:not-critical:ext-value -o ipa.csr -a which didn’t work either. I’m running IPA version 4.2.0 on Centos 7.2.1511 ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64 Also, If run the ipa-server-install –external-ca --external-ca-type ms-cs on a test box, it’ll generate a CSR that works, the only difference been that the X509V3 extentions are not there. Exponent: 65537 (0x10001) Attributes: a0:00 so I’m not sure if the same logic that’s used in ipa-server-install can be used in ipa-cacert-manage to generate the renew CSR Please help to generate a correct CSR for Microsoft Windows 2012R2 CA to recognize and sign so I can chain the existing self-signed CA to it. Thanks. -- Efficiency is Intelligent Laziness
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project