Hi Clark, On Mon, Mar 27, 2017 at 04:19:42PM +0000, System Administration Team wrote: > Fraser, > > I cannot pass the DN or CN as part of the subject on the command line > ipa-server-install > > Ipa-server-install appears to set the CN to 'Certificate Authority' from the > openssl output. > The ability to control this was added in v4.5: http://www.freeipa.org/page/Releases/4.5.0#Fully_customisable_CA_name
But, the Subject DN in the CSR is advisory; we have no control over what the external CA actually does. FreeIPA requires the signed cert to match what was in the CSR. > I believe the preferred for a subCA should be the FQDN of the subCA server > which is the ipa install. > It doesn't matter, as long as it's different from other CAs. > The final error when I try to run ipa-server-install: > > ipa.ipapython.install.cli.install_tool(Server): ERROR IPA CA certificate > not found in /etc/pki/tls/certs/ipa.cert.pem, /etc/pki/tls/certs/ca.cert.pem > ipa.ipapython.install.cli.install_tool(Server): ERROR The > ipa-server-install command failed. See /var/log/ipaserver-install.log for > more information > This is consistent with the signed cert having a different Subject DN from what IPA expects (which is what it put into the CSR). Cheers, Fraser > Thank You > > Clark > > > > > > Does the subject distinguished name in the signed certificate exactly match > what was in the CSR? > > > 2017-03-27 IPA Install > > [root@ipa certs]# ipa-server-install --external-ca --domain=camgian.com > --hostname=ipa.camgian.com --realm=CAMGIAN.COM --subject 'OU=IT,O=Camgian > Microsystems,L=Starkville,ST=Mississippi,C=US,mail=<REMOVED>' > > The log file for this installation can be found in > /var/log/ipaserver-install.log > ============================================================================== > This program will set up the IPA Server. > > This includes: > * Configure a stand-alone CA (dogtag) for certificate management > * Configure the Network Time Daemon (ntpd) > * Create and configure an instance of Directory Server > * Create and configure a Kerberos Key Distribution Center (KDC) > * Configure Apache (httpd) > > To accept the default shown in brackets, press the Enter key. > > Do you want to configure integrated DNS (BIND)? [no]: > > Certain directory server operations require an administrative user. > This user is referred to as the Directory Manager and has full access to the > Directory for system management tasks and will be added to the instance of > directory server created for IPA. > The password must be at least 8 characters long. > > Directory Manager password: > Password (confirm): > > The IPA server requires an administrative user, named 'admin'. > This user is a regular system account used for IPA server administration. > > IPA admin password: > Password (confirm): > > > The IPA Master Server will be configured with: > Hostname: ipa.camgian.com > IP address(es): 192.168.200.3 > Domain name: camgian.com > Realm name: CAMGIAN.COM > > Continue to configure the system with these values? [no]: yes > > The following operations may take some minutes to complete. > Please wait until the prompt is returned. > > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv). Estimated time: 1 minute > [1/47]: creating directory server user > [2/47]: creating directory server instance > [3/47]: updating configuration in dse.ldif > [4/47]: restarting directory server > [5/47]: adding default schema > [6/47]: enabling memberof plugin > [7/47]: enabling winsync plugin > [8/47]: configuring replication version plugin > [9/47]: enabling IPA enrollment plugin > [10/47]: enabling ldapi > [11/47]: configuring uniqueness plugin > [12/47]: configuring uuid plugin > [13/47]: configuring modrdn plugin > [14/47]: configuring DNS plugin > [15/47]: enabling entryUSN plugin > [16/47]: configuring lockout plugin > [17/47]: configuring topology plugin > [18/47]: creating indices > [19/47]: enabling referential integrity plugin > [20/47]: configuring certmap.conf > [21/47]: configure autobind for root > [22/47]: configure new location for managed entries > [23/47]: configure dirsrv ccache > [24/47]: enabling SASL mapping fallback > [25/47]: restarting directory server > [26/47]: adding sasl mappings to the directory > [27/47]: adding default layout > [28/47]: adding delegation layout > [29/47]: creating container for managed entries > [30/47]: configuring user private groups > [31/47]: configuring netgroups from hostgroups > [32/47]: creating default Sudo bind user > [33/47]: creating default Auto Member layout > [34/47]: adding range check plugin > [35/47]: creating default HBAC rule allow_all > [36/47]: adding sasl mappings to the directory > [37/47]: adding entries for topology management > [38/47]: initializing group membership > [39/47]: adding master entry > [40/47]: initializing domain level > [41/47]: configuring Posix uid/gid generation > [42/47]: adding replication acis > [43/47]: enabling compatibility plugin > [44/47]: activating sidgen plugin > [45/47]: activating extdom plugin > [46/47]: tuning directory server > [47/47]: configuring directory to start on boot Done configuring directory > server (dirsrv). > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 > seconds > [1/8]: creating certificate server user > [2/8]: configuring certificate server instance The next step is to get > /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as: > /usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate > --external-cert-file=/path/to/external_ca_certificate > [root@ipa certs]# > > > [root@ipa certs]# openssl req -in /root/ipa.csr -noout -text Certificate > Request: > Data: > Version: 0 (0x0) > Subject: mail=<REMOVED>, C=US, ST=Mississippi, L=Starkville, > O=Camgian Microsystems, OU=IT, CN=Certificate Authority > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > <REMOVED FOR BREVITY> > Exponent: 65537 (0x10001) > Attributes: > Requested Extensions: > X509v3 Basic Constraints: critical > CA:TRUE > X509v3 Key Usage: critical > Digital Signature, Non Repudiation, Certificate Sign, CRL Sign > Signature Algorithm: sha256WithRSAEncryption > <REMOVED FOR BREVITY> > [root@ipa certs]# > > Sign ipa.csr > > root@rootCA:~/ca# openssl ca -config openssl.cnf -policy policy_loose > -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in > /home/camgian/ipa.csr -out intermediate/certs/ipa.cert.pem Using > configuration from openssl.cnf Enter pass phrase for > /root/ca/private/ca.key.pem: > Check that the request matches the signature Signature ok Certificate Details: > Serial Number: 4099 (0x1003) > Validity > Not Before: Mar 27 15:49:18 2017 GMT > Not After : Mar 25 15:49:18 2027 GMT > Subject: > countryName = US > stateOrProvinceName = Mississippi > localityName = Starkville > organizationName = Camgian Microsystems > organizationalUnitName = IT > commonName = Certificate Authority > X509v3 extensions: > X509v3 Subject Key Identifier: > D3:FC:DE:2B:F8:5B:50:9B:31:68:92:D0:06:31:1B:F9:EB:63:B5:6A > X509v3 Authority Key Identifier: > > keyid:60:1B:78:1A:BD:3C:97:78:A6:04:72:A0:FA:6E:11:48:55:B0:5B:40 > > X509v3 Basic Constraints: critical > CA:TRUE, pathlen:0 > X509v3 Key Usage: critical > Digital Signature, Certificate Sign, CRL Sign Certificate is > to be certified until Mar 25 15:49:18 2027 GMT (3650 days) Sign the > certificate? [y/n]:y > > > 1 out of 1 certificate requests certified, commit? [y/n]y Write out database > with 1 new entries Data Base Updated root@rootCA:~/ca# > > > root@rootCA:~/ca# openssl x509 -noout -text -in > /root/ca/intermediate/certs/ipa.cert.pem > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 4099 (0x1003) > Signature Algorithm: sha256WithRSAEncryption > Issuer: C=US, ST=Mississippi, L=Starkville, O=Camgian Microsystems, > OU=IT, CN=Camgian Microsystems Root CA/emailAddress=<removed> > Validity > Not Before: Mar 27 15:49:18 2017 GMT > Not After : Mar 25 15:49:18 2027 GMT > Subject: C=US, ST=Mississippi, L=Starkville, O=Camgian Microsystems, > OU=IT, CN=Certificate Authority > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > <REMOVED FOR BREVITY> > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Subject Key Identifier: > D3:FC:DE:2B:F8:5B:50:9B:31:68:92:D0:06:31:1B:F9:EB:63:B5:6A > X509v3 Authority Key Identifier: > > keyid:60:1B:78:1A:BD:3C:97:78:A6:04:72:A0:FA:6E:11:48:55:B0:5B:40 > > X509v3 Basic Constraints: critical > CA:TRUE, pathlen:0 > X509v3 Key Usage: critical > Digital Signature, Certificate Sign, CRL Sign > Signature Algorithm: sha256WithRSAEncryption > <REMOVED FOR BREVITY> > root@rootCA:~/ca# > > [root@ipa certs]# ipa-server-install --domain=camgian.com > --hostname=ipa.camgian.com --realm=CAMGIAN.COM --subject 'OU=IT,O=Camgian > Microsystems,L=Starkville,ST=Mississippi,C=US,mail=<REMOVED>' > --external-cert-file=/etc/pki/tls/certs/ipa.cert.pem > --external-cert-file=/etc/pki/tls/certs/ca.cert.pem > > The log file for this installation can be found in > /var/log/ipaserver-install.log Directory Manager password: > > ============================================================================== > This program will set up the IPA Server. > > This includes: > * Configure a stand-alone CA (dogtag) for certificate management > * Configure the Network Time Daemon (ntpd) > * Create and configure an instance of Directory Server > * Create and configure a Kerberos Key Distribution Center (KDC) > * Configure Apache (httpd) > > ipa.ipapython.install.cli.install_tool(Server): ERROR IPA CA certificate > not found in /etc/pki/tls/certs/ipa.cert.pem, /etc/pki/tls/certs/ca.cert.pem > ipa.ipapython.install.cli.install_tool(Server): ERROR The > ipa-server-install command failed. See /var/log/ipaserver-install.log for > more information > [root@ipa certs]# -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
