Re: [Freeipa-devel] Questions re. 3rd party certificates

[Jan Cholasta]

Hi,

On 21.6.2016 11:03, Florence Blanc-Renaud wrote:

Hi,

I am working on the following issues and I have questions re. 3rd party
certificates:
- https://fedorahosted.org/freeipa/ticket/4785 ipa-server-certinstall
tracks the 3rd party cert it installs with certmonger
- https://fedorahosted.org/freeipa/ticket/4786 ipa-server-certinstall
does not accept certs signed by 3rd party CAs

First I would like to validate that my scenario is the correct one:
FreeIPA installed with an embedded CA. The customer now wants to use a
different certificate for httpd and dirsrv, signed by a 3rd party CA.
The steps to achieve this are:
1. run "ipa-cacert-manage install -t C,, " to install the
3rd party CA certificate. This step puts the CA certificate in the LDAP
entry cn=certificates,cn=ipa,cn=etc,dc=...


Right.



2. run "ipa-certupdate" to retrieve the CA cert from LDAP and put it
into /etc/ipa/nssdb /etc/dirsrv/sldapd-xxx and /etc/httpd/alias
Note that this command does not put the CA cert into
/etc/pki/pki-tomcat/alias, is this expected? I had to perform this
manually (otherwise tomcat won't restart later).


ipa-certupdate is supposed to update /etc/pki/pki-tomcat/alias.

Here is the relevant code: 





3. run "ipa-server-certinstall -d -w key.pem cert.pem"
This commands should stop tracking the previous cert, install the new
one in /etc/dirsrv/slapd-xx (if -d is used) and /etc/httpd/alias (if -w
is used), and track the new one only if signed by IPA CA. It also
updates the attribute nssslpersonalityssl of the entry
cn=rsa,cn=encryption,cn=config to contain the new cert nickname (for the
dirsrv) and sets NSSNickname in /etc/httpd/conf.d/nss.conf (for httpd).


Right.



After those steps, I noticed that
- the entries
krbprincipalname=HTTP/hostname@dom,cn=services,cn=accounts,dc=domain...
and
krbprincipalname=ldap/hostname@dom,cn=services,cn=accounts,dc=domain...
are not updated: their attribute userCertificate still contains the old
certificate.
Did I miss a manual step? Is it an issue?


AFAIK ipa-server-certinstall never updated these entries. It's probably 
not an issue, but it would be nice to update them, for consistency.




- the new certificate nickname is not "Server-Cert" any more but rather
the full subject (even if --cert-name was supplied to
ipa-server-certinstall).
Can this cause issues?


Actually, full subject name is used only if the originating PKCS#12 
files does not have nickname for the server certificate.


The --cert-name is used to select a single server certificate from the 
PKCS#12 file in case there are multiple, it is not supposed to change 
the nickname.


It could cause an issue if someone assumed that the nickname is always 
"Server-Cert", but I don't think that there currently is code that does.




Thanks for any input,
Flo.



Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Questions re. 3rd party certificates

[Florence Blanc-Renaud]

Hi,

I am working on the following issues and I have questions re. 3rd party 
certificates:
- https://fedorahosted.org/freeipa/ticket/4785 ipa-server-certinstall 
tracks the 3rd party cert it installs with certmonger
- https://fedorahosted.org/freeipa/ticket/4786 ipa-server-certinstall 
does not accept certs signed by 3rd party CAs


First I would like to validate that my scenario is the correct one:
FreeIPA installed with an embedded CA. The customer now wants to use a 
different certificate for httpd and dirsrv, signed by a 3rd party CA. 
The steps to achieve this are:
1. run "ipa-cacert-manage install -t C,, " to install the 
3rd party CA certificate. This step puts the CA certificate in the LDAP 
entry cn=certificates,cn=ipa,cn=etc,dc=...


2. run "ipa-certupdate" to retrieve the CA cert from LDAP and put it 
into /etc/ipa/nssdb /etc/dirsrv/sldapd-xxx and /etc/httpd/alias
Note that this command does not put the CA cert into 
/etc/pki/pki-tomcat/alias, is this expected? I had to perform this 
manually (otherwise tomcat won't restart later).


3. run "ipa-server-certinstall -d -w key.pem cert.pem"
This commands should stop tracking the previous cert, install the new 
one in /etc/dirsrv/slapd-xx (if -d is used) and /etc/httpd/alias (if -w 
is used), and track the new one only if signed by IPA CA. It also 
updates the attribute nssslpersonalityssl of the entry 
cn=rsa,cn=encryption,cn=config to contain the new cert nickname (for the 
dirsrv) and sets NSSNickname in /etc/httpd/conf.d/nss.conf (for httpd).


After those steps, I noticed that
- the entries 
krbprincipalname=HTTP/hostname@dom,cn=services,cn=accounts,dc=domain... 
and 
krbprincipalname=ldap/hostname@dom,cn=services,cn=accounts,dc=domain... 
are not updated: their attribute userCertificate still contains the old 
certificate.

Did I miss a manual step? Is it an issue?

- the new certificate nickname is not "Server-Cert" any more but rather 
the full subject (even if --cert-name was supplied to 
ipa-server-certinstall).

Can this cause issues?

Thanks for any input,
Flo.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code