Re: [Freeipa-users] ipa-cert-agent, Object Signing Cert certificate renewal
realstarhealer wrote: Hi Rob, I was concerned, just because it nowhere clearly stated what ipa-ca-agent / caAdminCert with default serial id #6 is used for and how it affects the system when expired. It isn't used at all. This is the admin cert typically used when interfacing with the dogtag UI. You are certainly free to renew it but it isn't something that IPA typically needs. So if it is not needed by IPA, I also do not strictly need to recreate a new valid Cert for that. Right Is it sure, that it is unnecessarily, can we verify this somehow? Just want to be sure that my 1+ Hosts will not suddenly stop to authenticate us in the next days, because of this one. There have been some bumps in renewals over the years but never one due to this certificate. rob Greeting Vitali *Von:* Rob Crittenden *Gesendet:* Montag, 22. August 2016 17:27 *An:* realstarhealer; freeipa-users@redhat.com *Betreff:* Re: AW: AW: [Freeipa-users] ipa-cert-agent, Object Signing Cert certificate renewal realstarhealer wrote: Hi, It seemes I confused you. I just used the CVE Tutorial as a hint on generally how to create a new Cert for ipa-ca-agent (for uid admin). There is nothing wrong with my IPA RA (ipaCert), as it is monitored via certmonger and has been renewed recently. So returning to my previous question, is it sufficient to replace the expired #6 for uid admin in ldap with my new Cert, i created or is #6 used in more location than this one? You'd also need to update the description value. Why are you concerned about updating this certificate? IPA doesn't use it in any way AFAIK. rob Thanks and Greetings Vitali Ursprüngliche Nachricht Von: Rob Crittenden Datum: 22.08.16 16:40 (GMT+01:00) An: realstarhealer , Freeipa-users@redhat.com Cc: Jan Cholasta Betreff: Re: AW: [Freeipa-users] ipa-cert-agent, Object Signing Cert certificate renewal Please keep responses on the list. realstarhealer wrote: Hi Rob, setting back the date and restarting did not help, in fact it can't, because certmonger is not tracking these two by default. Regarding the ipa-ca-agent Cert: I followed CVE-2015-5284 slightly to create a new valid ipa-ca-agent certificate. You re-created the wrong cert. You need the cert with subject 'CN=IPA RA,O=' The RA agent (original serial # usually 7) and the CA Agent (original serial # usually 6) have different purposes. Were you affected by the CVE? I'm not sure why you'd try to replace it in this way. As for the tracking, you'd do something like this (untested b/c I don't have a 4.1 install): # getcert start-tracking -d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt -c dogtag-ipa-ca-renew-agent -C renew_ra_cert Via pki cert-find --name 'ipa-ca-agent' I can now see both, the new and the expired. Via freeipa webui I can also See both. Via ldapsearch -D 'cn=Directory Manager' -W -b 'ou=people,o=ipaca' I see uid=admin using the old expired Cert ID. Is it sufficient to ldapmodify the new valid Cert to uid=admin to solve this? As far as I can See, it is the only place this Cert is used. The instructions on the wiki at https://www.freeipa.org/page/CVE-2015-5284 seem to confuse the RA agent CVE-2015-5284 - FreeIPA <https://www.freeipa.org/page/CVE-2015-5284> www.freeipa.org CVE-2015-5284 Summary. The ipa-kra-install command, which configures KRA for IPA, puts the CA agent certificate and private key to a world readable file, /etc/httpd ... with the CA agent. I don't know the details of that CVE but someone needs to revisit these docs. I'd prefer some clarity around SUBJECT, it will always be CN=IPA RA, Similarly there is no need to update ca-agent.p12 file if the RA agent cert is being replaced. rob Greetings Vitali Ursprüngliche Nachricht Von: Rob Crittenden Datum: 18.08.16 15:28 (GMT+01:00) An: realstarhealer , freeipa-users@redhat.com Betreff: Re: [Freeipa-users] ipa-cert-agent, Object Signing Cert certificate renewal realstarhealer wrote: Hi, I am in charge for a freeipa 4.1.0.18.el7 server with ldap backend and noticed some expired certificates recently. Most of them but 2 are auto-renewing by certmonger as I checked. All of them are self signed. "CN=ipa-ca-agent" and "CN=Object Signing Cert" are not subscribed by certmonger, ipa-ca-agent expired some days ago and has not been renewed. Second one expires soon. No consequences noticed so far. Can you tell me what they both are for and - if needed - how I should renew that separately? Preferable with certmonger. An Output how the tracking config should look like would be nice. The object signing cert can probably be ignored. This was used to sign a jar file used to automatically configure Firefox but that approach doesn't work any more. The agent cer
Re: [Freeipa-users] ipa-cert-agent, Object Signing Cert certificate renewal
Hi Rob, I was concerned, just because it nowhere clearly stated what ipa-ca-agent / caAdminCert with default serial id #6 is used for and how it affects the system when expired. So if it is not needed by IPA, I also do not strictly need to recreate a new valid Cert for that. Is it sure, that it is unnecessarily, can we verify this somehow? Just want to be sure that my 1+ Hosts will not suddenly stop to authenticate us in the next days, because of this one. Greeting Vitali Von: Rob Crittenden Gesendet: Montag, 22. August 2016 17:27 An: realstarhealer; freeipa-users@redhat.com Betreff: Re: AW: AW: [Freeipa-users] ipa-cert-agent, Object Signing Cert certificate renewal realstarhealer wrote: > Hi, > > It seemes I confused you. I just used the CVE Tutorial as a hint on > generally how to create a new Cert for ipa-ca-agent (for uid admin). > There is nothing wrong with my IPA RA (ipaCert), as it is monitored via > certmonger and has been renewed recently. > > So returning to my previous question, is it sufficient to replace the > expired #6 for uid admin in ldap with my new Cert, i created or is #6 > used in more location than this one? You'd also need to update the description value. Why are you concerned about updating this certificate? IPA doesn't use it in any way AFAIK. rob > > Thanks and Greetings > Vitali > > > Ursprüngliche Nachricht > Von: Rob Crittenden > Datum: 22.08.16 16:40 (GMT+01:00) > An: realstarhealer , Freeipa-users@redhat.com > Cc: Jan Cholasta > Betreff: Re: AW: [Freeipa-users] ipa-cert-agent, Object Signing Cert > certificate renewal > > Please keep responses on the list. > > realstarhealer wrote: >> Hi Rob, >> >> setting back the date and restarting did not help, in fact it can't, >> because certmonger is not tracking these two by default. >> >> Regarding the ipa-ca-agent Cert: >> I followed CVE-2015-5284 slightly to create a new valid ipa-ca-agent >> certificate. > > You re-created the wrong cert. You need the cert with subject 'CN=IPA > RA,O=' The RA agent (original serial # usually 7) and the CA > Agent (original serial # usually 6) have different purposes. > > Were you affected by the CVE? I'm not sure why you'd try to replace it > in this way. > > As for the tracking, you'd do something like this (untested b/c I don't > have a 4.1 install): > > # getcert start-tracking -d /etc/httpd/alias -n ipaCert -p > /etc/httpd/alias/pwdfile.txt -c dogtag-ipa-ca-renew-agent -C renew_ra_cert > >> Via pki cert-find --name 'ipa-ca-agent' I can now see both, the new and >> the expired. >> Via freeipa webui I can also See both. >> Via ldapsearch -D 'cn=Directory Manager' -W -b 'ou=people,o=ipaca' I see >> uid=admin using the old expired Cert ID. >> >> Is it sufficient to ldapmodify the new valid Cert to uid=admin to solve >> this? As far as I can See, it is the only place this Cert is used. > > The instructions on the wiki at > https://www.freeipa.org/page/CVE-2015-5284 seem to confuse the RA agent CVE-2015-5284 - FreeIPA<https://www.freeipa.org/page/CVE-2015-5284> www.freeipa.org CVE-2015-5284 Summary. The ipa-kra-install command, which configures KRA for IPA, puts the CA agent certificate and private key to a world readable file, /etc/httpd ... > with the CA agent. I don't know the details of that CVE but someone > needs to revisit these docs. I'd prefer some clarity around SUBJECT, it > will always be CN=IPA RA, > > Similarly there is no need to update ca-agent.p12 file if the RA agent > cert is being replaced. > > rob > >> >> Greetings >> Vitali >> >> >> Ursprüngliche Nachricht >> Von: Rob Crittenden >> Datum: 18.08.16 15:28 (GMT+01:00) >> An: realstarhealer , freeipa-users@redhat.com >> Betreff: Re: [Freeipa-users] ipa-cert-agent, Object Signing Cert >> certificate renewal >> >> realstarhealer wrote: >>> Hi, >>> >>> I am in charge for a freeipa 4.1.0.18.el7 server with ldap backend and >>> noticed some expired certificates recently. Most of them but 2 are >>> auto-renewing by certmonger as I checked. All of them are self signed. >>> >>> "CN=ipa-ca-agent" and "CN=Object Signing Cert" are not subscribed by >>> certmonger, ipa-ca-agent expired some days ago and has not been renewed. >>> Second one expires soon. No consequences noticed so far. >>> Can you tell me what they both are for and - if needed - how I should >>> renew that separately? Preferable with cert
Re: [Freeipa-users] ipa-cert-agent, Object Signing Cert certificate renewal
realstarhealer wrote: Hi, It seemes I confused you. I just used the CVE Tutorial as a hint on generally how to create a new Cert for ipa-ca-agent (for uid admin). There is nothing wrong with my IPA RA (ipaCert), as it is monitored via certmonger and has been renewed recently. So returning to my previous question, is it sufficient to replace the expired #6 for uid admin in ldap with my new Cert, i created or is #6 used in more location than this one? You'd also need to update the description value. Why are you concerned about updating this certificate? IPA doesn't use it in any way AFAIK. rob Thanks and Greetings Vitali Ursprüngliche Nachricht Von: Rob Crittenden Datum: 22.08.16 16:40 (GMT+01:00) An: realstarhealer , Freeipa-users@redhat.com Cc: Jan Cholasta Betreff: Re: AW: [Freeipa-users] ipa-cert-agent, Object Signing Cert certificate renewal Please keep responses on the list. realstarhealer wrote: Hi Rob, setting back the date and restarting did not help, in fact it can't, because certmonger is not tracking these two by default. Regarding the ipa-ca-agent Cert: I followed CVE-2015-5284 slightly to create a new valid ipa-ca-agent certificate. You re-created the wrong cert. You need the cert with subject 'CN=IPA RA,O=' The RA agent (original serial # usually 7) and the CA Agent (original serial # usually 6) have different purposes. Were you affected by the CVE? I'm not sure why you'd try to replace it in this way. As for the tracking, you'd do something like this (untested b/c I don't have a 4.1 install): # getcert start-tracking -d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt -c dogtag-ipa-ca-renew-agent -C renew_ra_cert Via pki cert-find --name 'ipa-ca-agent' I can now see both, the new and the expired. Via freeipa webui I can also See both. Via ldapsearch -D 'cn=Directory Manager' -W -b 'ou=people,o=ipaca' I see uid=admin using the old expired Cert ID. Is it sufficient to ldapmodify the new valid Cert to uid=admin to solve this? As far as I can See, it is the only place this Cert is used. The instructions on the wiki at https://www.freeipa.org/page/CVE-2015-5284 seem to confuse the RA agent with the CA agent. I don't know the details of that CVE but someone needs to revisit these docs. I'd prefer some clarity around SUBJECT, it will always be CN=IPA RA, Similarly there is no need to update ca-agent.p12 file if the RA agent cert is being replaced. rob Greetings Vitali Ursprüngliche Nachricht Von: Rob Crittenden Datum: 18.08.16 15:28 (GMT+01:00) An: realstarhealer , freeipa-users@redhat.com Betreff: Re: [Freeipa-users] ipa-cert-agent, Object Signing Cert certificate renewal realstarhealer wrote: Hi, I am in charge for a freeipa 4.1.0.18.el7 server with ldap backend and noticed some expired certificates recently. Most of them but 2 are auto-renewing by certmonger as I checked. All of them are self signed. "CN=ipa-ca-agent" and "CN=Object Signing Cert" are not subscribed by certmonger, ipa-ca-agent expired some days ago and has not been renewed. Second one expires soon. No consequences noticed so far. Can you tell me what they both are for and - if needed - how I should renew that separately? Preferable with certmonger. An Output how the tracking config should look like would be nice. The object signing cert can probably be ignored. This was used to sign a jar file used to automatically configure Firefox but that approach doesn't work any more. The agent cert is used by IPA to communicate to dogtag so yeah, that's pretty important. Since it is expired you'd need to go back in time to renew it. Restarting the certmonger process is the simplest method to force it to try to renew. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-cert-agent, Object Signing Cert certificate renewal
Please keep responses on the list. realstarhealer wrote: Hi Rob, setting back the date and restarting did not help, in fact it can't, because certmonger is not tracking these two by default. Regarding the ipa-ca-agent Cert: I followed CVE-2015-5284 slightly to create a new valid ipa-ca-agent certificate. You re-created the wrong cert. You need the cert with subject 'CN=IPA RA,O=' The RA agent (original serial # usually 7) and the CA Agent (original serial # usually 6) have different purposes. Were you affected by the CVE? I'm not sure why you'd try to replace it in this way. As for the tracking, you'd do something like this (untested b/c I don't have a 4.1 install): # getcert start-tracking -d /etc/httpd/alias -n ipaCert -p /etc/httpd/alias/pwdfile.txt -c dogtag-ipa-ca-renew-agent -C renew_ra_cert Via pki cert-find --name 'ipa-ca-agent' I can now see both, the new and the expired. Via freeipa webui I can also See both. Via ldapsearch -D 'cn=Directory Manager' -W -b 'ou=people,o=ipaca' I see uid=admin using the old expired Cert ID. Is it sufficient to ldapmodify the new valid Cert to uid=admin to solve this? As far as I can See, it is the only place this Cert is used. The instructions on the wiki at https://www.freeipa.org/page/CVE-2015-5284 seem to confuse the RA agent with the CA agent. I don't know the details of that CVE but someone needs to revisit these docs. I'd prefer some clarity around SUBJECT, it will always be CN=IPA RA, Similarly there is no need to update ca-agent.p12 file if the RA agent cert is being replaced. rob Greetings Vitali Ursprüngliche Nachricht Von: Rob Crittenden Datum: 18.08.16 15:28 (GMT+01:00) An: realstarhealer , freeipa-users@redhat.com Betreff: Re: [Freeipa-users] ipa-cert-agent, Object Signing Cert certificate renewal realstarhealer wrote: Hi, I am in charge for a freeipa 4.1.0.18.el7 server with ldap backend and noticed some expired certificates recently. Most of them but 2 are auto-renewing by certmonger as I checked. All of them are self signed. "CN=ipa-ca-agent" and "CN=Object Signing Cert" are not subscribed by certmonger, ipa-ca-agent expired some days ago and has not been renewed. Second one expires soon. No consequences noticed so far. Can you tell me what they both are for and - if needed - how I should renew that separately? Preferable with certmonger. An Output how the tracking config should look like would be nice. The object signing cert can probably be ignored. This was used to sign a jar file used to automatically configure Firefox but that approach doesn't work any more. The agent cert is used by IPA to communicate to dogtag so yeah, that's pretty important. Since it is expired you'd need to go back in time to renew it. Restarting the certmonger process is the simplest method to force it to try to renew. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-cert-agent, Object Signing Cert certificate renewal
realstarhealer wrote: Hi, I am in charge for a freeipa 4.1.0.18.el7 server with ldap backend and noticed some expired certificates recently. Most of them but 2 are auto-renewing by certmonger as I checked. All of them are self signed. "CN=ipa-ca-agent" and "CN=Object Signing Cert" are not subscribed by certmonger, ipa-ca-agent expired some days ago and has not been renewed. Second one expires soon. No consequences noticed so far. Can you tell me what they both are for and - if needed - how I should renew that separately? Preferable with certmonger. An Output how the tracking config should look like would be nice. The object signing cert can probably be ignored. This was used to sign a jar file used to automatically configure Firefox but that approach doesn't work any more. The agent cert is used by IPA to communicate to dogtag so yeah, that's pretty important. Since it is expired you'd need to go back in time to renew it. Restarting the certmonger process is the simplest method to force it to try to renew. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project