I’m aware of the bug filed here but the work around as documented did not work:

Looking at this ticket:
It seems that it won’t be fixed until freeipa 4.5.

Is there any workaround currently in freeipa 4.2/4.3 to somehow manually 
generate a CSR that can be recognized by Microsoft ?
the ipa-server-install was able to generate a CSR for rootCA signing if one 
specifies --external-ca-type ms-cs, which works for MS AD CA.

but no such option exist for ipa-cacert-manage.

details below:
I’m trying to upgrade our current IPA installation from self-signed to be 
signed by the CA operated by IT.
So I followed the procedure here to generate the CSR to be signed:
However, when I submitted the CSR to be signed, the Microsoft Windows 2012R2 
ADCA rejected the CSR with this error:
Certificate not issued (Denied) Denied by Policy Module  0x80094800, The 
request was for a certificate template that is not supported by the Active 
Directory Certi
olicy: ipaCSRExport/PANW_Subordinate Certification Authority.
The requested certificate template is not supported by this CA. 0x80094800 
1401.5098.0:<2016/11/3, 11:11:3>: 0x80094800 (-2146875392 
1401.5602.0:<2016/11/3, 11:11:3>: 0x80094800 (-2146875392 
1401.16709.0:<2016/11/3, 11:11:3>: 0x80094800 (-2146875392 
Certificate Request Processor: The requested certificate template is not 
supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
Denied by Policy Module  0x80094800, The request was for a certificate template 
that is not supported by the Active Directory Certificate Services policy: 
nate Certification Authority.

here is the what CSR looks like(with keys taken out):
Certificate Request:
        Version: 0 (0x0)
        Subject: O=XYZ.LOCAL, CN=Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
            friendlyName             :unable to print attribute
        Requested Extensions:
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
            X509v3 Subject Key Identifier:
    Signature Algorithm: sha256WithRSAEncryption

I tried the workaround documented on the webpage and asked the CSR to be 
process via command line certreq.  Same error.
I’ve also tried this workaround:
where I manually generated the cert via certutil:
# echo -e -n '\x1E\x0A\x00\x53\x00\x75\x00\x62\x00\x43\x00\x41' >ext-value
# certutil -R -d /etc/pki/pki-tomcat/alias -f <(grep -Po '(?<=internal=).*' 
/etc/pki/pki-tomcat/password.conf) -k 'caSigningCert cert-pki-ca' 
--extGeneric= -o ipa.csr -a

which didn’t work either.

I’m running IPA version 4.2.0 on Centos 7.2.1511

Also, If run the ipa-server-install –external-ca --external-ca-type ms-cs on a 
test box, it’ll generate a CSR that works, the only difference been that the 
X509V3 extentions are not there.
                Exponent: 65537 (0x10001)
so I’m not sure if the same logic that’s used in ipa-server-install can be used 
in ipa-cacert-manage to generate the renew CSR

Please help to generate a correct CSR for Microsoft Windows 2012R2 CA to 
recognize and sign so I can chain the existing self-signed CA to it. Thanks.

Efficiency is Intelligent Laziness
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to