Description of problem:


Version-Release number of selected component (if applicable):
ipa-server-2.1.2-2.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
# ipa-server-install --external-ca
# mkdir ipa-ca
# cd ipa-ca/
# certutil -N -d . -f /root/pwdfile.txt
# certutil -G -d . -z /root/noise.txt -f /root/pwdfile.txt
# certutil -S -n "CA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d
. -z /root/noise.txt -f /root/pwdfile.txt
# certutil -C -m 2345 -i /root/ipa.csr -o ipacacert.crt -c "CA certificate" -d
. -a -f /root/pwdfile.txt
# certutil -A -n ipa-ca@redhat.com -t "u,u,u" -i ipacacert.crt -d . -a
# certutil -L -d . -n "CA certificate" -a > cacert.asc
# ls
cacert.asc  cert8.db  ipacacert.crt  ipacert.req  key3.db  secmod.db

# ipa-server-install --external_cert_file=/root/ipa-ca/ipacacert.crt
--external_ca_file=/root/ipa-ca/cacert.asc


Actual results: ipa-server-install setup is completed successfully. However ipa
commands fail.

ipa user-find
ipa: ERROR: cert validation failed for
"CN=ratchet.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM"
((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.)
ipa: ERROR: cannot connect to
u'https://ratchet.lab.eng.pnq.redhat.com/ipa/xml': [Errno -8179]
(SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.

Expected results:
non-CA should not be allowed to be used as an external CA signer.

Additional info:

[root@ratchet alias]# certutil -d . -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CN=CAcert                                                    CT,C,C
Server-Cert                                                  u,u,u
LAB.ENG.PNQ.REDHAT.COM IPA CA                                CT,C,C
ipaCert                                                      u,u,u
Signing-Cert                                                 u,u,u
[root@ratchet alias]#