Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1169591
Description of problem: I'm trying to renew a CA Cert and change from self signed to external CA signed using MS ADCS. [root@rhel7-2 ~]# ipa-cacert-manage renew --external-ca Exporting CA certificate signing request, please wait The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as: ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate The ipa-cacert-manage command was successful [root@rhel7-2 ~]# cd /root/certs [root@rhel7-2 certs]# ls adcs2_chain.p7b ca.cer [root@rhel7-2 certs]# openssl pkcs7 -print_certs -in /root/certs/adcs2_chain.p7b -inform DER -out /root/certs/adcs2_chain.pem [root@rhel7-2 certs]# ipa-cacert-manage renew --external-cert-file=/root/certs/adcs2_chain.pem --external-cert-file=/root/certs/ca.cer -p Secret123 Importing the renewed CA certificate, please wait Not compatible with the current CA certificate: %s Command ''/usr/bin/certutil' '-d' '/tmp/tmpAYIjfk' '-A' '-n' 'IPA CA' '-t' 'C,,'' returned non-zero exit status 255 Version-Release number of selected component (if applicable): ipa-server-4.1.0-10.el7.x86_64 certmonger-0.75.14-2.el7.x86_64 nss-tools-3.16.2.3-2.el7.x86_64 How reproducible: unknown Steps to Reproduce: 1. Install IPA server 2. ipa-cacert-manage renew --external-ca 3. copy CSR to windows ADCS server 4. sign cert 5. copy cert and ADCS CA cert chain to IPA server 6. convert ADCS CA cert chain from p7b to DER pem openssl pkcs7 -print_certs -in <p7b_file> -inform DER -out <pem_file> 7. ipa-cacert-manage renew --external-cert-file=<pem_file> --external-cert-file=<cacert> -p <password> Actual results: fails like above Expected results: no fail Additional info:
This is not really a bug, turns out the subject names are encoded differently in the original and renewed CA certs. However, this should be specifically checked for and a proper error should be returned.
master:
ipa-4-1:
Metadata Update from @jcholast: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.1.3
Login to comment on this ticket.