Hello, I seem to be having some issues with IPA CA feature not generating certificates with DNS SubjectAltNames.
I'm sure this worked very well under CentOS 7.1 / IPA 4.0, but now under CentOS 7.2 / IPA 4.2 something's different. Here are the original steps which worked fine for my first use case :: $ ipa dnsrecord-add example.com mail --a-ip=172.17.100.25 $ ipa host-add mail.example.com $ ipa service-add smtp/mail.example.com $ ipa service-add smtp/mail1.example.com $ ipa service-add-host smtp/mail.example.com --hosts=mail1.example.com $ ipa-getcert request -k /etc/pki/tls/private/postfix.key \ -f /etc/pki/tls/certs/postfix.pem \ -N CN=mail1.example.com,O=EXAMPLE.COM \ -D mail1.example.com -D mail.example.com \ -K smtp/mail1.example.com (and repeat for every next member of the cluster...) After this, I would get certificate with something like :: $ sudo ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20150419153933': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/postfix.key' certificate: type=FILE,location='/etc/pki/tls/certs/postfix.pem' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=mail1.example.com,O=EXAMPLE.COM expires: 2017-04-19 15:39:35 UTC dns: mail1.example.com,mail.example.com principal name: smtp/mail1.example....@example.com key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes with Subject line in form of: 'CN=<hostname>,O=EXAMPLE.COM' and 'dns' info line present. Suddenly, in the current setup, after upgrade from 4.0 to 4.2, I'm getting this :: $ ipa dnsrecord-add example.com w3 --a-ip=172.17.17.80 --a-create- reverse $ ipa host-add w3.example.com $ ipa service-add HTTP/w3.example.com $ ipa service-add HTTP/http1.example.com $ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com $ ipa-getcert request -k /etc/pki/tls/private/httpd.key \ -f /etc/pki/tls/certs/httpd.pem \ -N CN=http1.example.com,O=EXAMPLE.COM \ -D http1.example.com -D w3.example.com \ -K HTTP/http1.example.com $ sudo ipa-getcert list Number of certificates and requests being tracked: 3. Request ID '20160327095125': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/http.key' certificate: type=FILE,location='/etc/pki/tls/certs/http.pem' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=http1.example.com,OU=pki-ipa,O=IPA expires: 2018-03-28 09:51:27 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Where's the 'CN=<hostname>,OU=pki-ipa,O=IPA' coming from instead of 'CN=<hostname>,O=EXAMPLE.COM' and why are DNS SubjectAltNames missing? To be clear, if I don't do :: $ ipa service-add-host HTTP/w3.example.com --hosts=http1.example.com then certificate is just not issued with 'REJECTED', but once this is done properly in described steps, DNS SANs are not happening. I've tried ipa-getcert from both CentOS 7.2 and Fedora 23, but only against my current IPA 4.2 on CentOS 7.2. For the actual certificates :: $ sudo openssl x509 -in /etc/pki/tls/certs/postfix.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 15 (0xf) Signature Algorithm: sha256WithRSAEncryption Issuer: O=EXAMPLE.COM, CN=Certificate Authority Validity Not Before: Apr 19 15:39:35 2015 GMT Not After : Apr 19 15:39:35 2017 GMT Subject: O=EXAMPLE.COM, CN=mail1.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: [cut] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:[cut] Authority Information Access: OCSP - URI:http://ipa-ca.example.com/ca/ocsp X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name: URI:http://ipa-ca.example.com/ipa/crl/MasterCRL.bin CRL Issuer: DirName: O = ipaca, CN = Certificate Authority X509v3 Subject Key Identifier: [cut] X509v3 Subject Alternative Name: DNS:mail1.example.com, DNS:mail.example.com, othername:<unsupported>, othername:<unsupported> Signature Algorithm: sha256WithRSAEncryption [cut] vs. $ sudo openssl x509 -in /etc/pki/tls/certs/http.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 71 (0x47) Signature Algorithm: sha256WithRSAEncryption Issuer: O=EXAMPLE.COM, CN=Certificate Authority Validity Not Before: Mar 27 09:51:27 2016 GMT Not After : Mar 28 09:51:27 2018 GMT Subject: O=IPA, OU=pki-ipa, CN=http1.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: [cut] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:[cut] Authority Information Access: OCSP - URI:http://idmc1.example.com:80/ca/ocsp X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Signature Algorithm: sha256WithRSAEncryption [cut] so even reference to CRL is missing here, but OCSP is present. Sorry if this is duplicate, but from what I was able to find, DNS SubjectAltNames are reported working since CentOS 7.1, and I think I'm consistent with http://www.freeipa.org/page/PKI, unless I miss something obvious here. For new features like certificate profiles and ACLs, I haven't changed any defaults as far as I know as there was no need for that. Thank you for any support in advance! And Happy Easter! Martin
signature.asc
Description: This is a digitally signed message part
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project