There are multiple issues across different tools used in IPA installation which prevents installation of CA-less with intermediate CA.
One of the symptoms is wrong trust flags being assigned to the intermediate CA certificate when importing the PKCS!#12 file:
$ certutil -L <dbdir> Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI The Root CA CT,C,C ca1/subca/server u,u,u ca1/subca ,,
This in turn causes certutil to return an incomplete trust chain:
$ certutil -O -d <dbdir> -n ca1/subca/server "ca1/subca/server" [CN=vm-131.idm.lab.bos.redhat.com,O=Subsidiary Example Organization]
Trust flags of intermediate CA certificates should be set to "c,c,c" to fix this.
There is a relevant discussion on freeipa-devel list.
This ticket is a Fedora 19 development issue (CA-less installation feature - ticket #3363). jcholast is working on resolution, has most of the patches ready.
Moving to 3.2.x bugfixing bucket.
... and now the actual milestone change.
We not support intermediate CAs for external CA install or CA-less install. Thus, this ticket cannot be easily solved extensive changes to the installer. Related to #3274 (Pilsner milestone).
Moving back to triage to decide what to do about this ticket.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=973195
I will make a patch to print a meaningful error message when intermediate CA is detected, for now.
Actually, I think the current error message is good enough:
server.p12 is not signed by root.pem, or the full certificate chain is not present in the PKCS#12 file
Based on jcholast's note in https://bugzilla.redhat.com/show_bug.cgi?id=973195, this should be fixed already in 4.1.x.
Metadata Update from @jcholast: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.1.5
Login to comment on this ticket.