Issue #4781: RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible - freeipa

freeipa

#4781 RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible

Closed: Fixed None Opened 9 years ago by jcholast.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1169591

Description of problem:

I'm trying to renew a CA Cert and change from self signed to external CA signed
using MS ADCS.

[root@rhel7-2 ~]# ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run
ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate
--external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful

[root@rhel7-2 ~]# cd /root/certs

[root@rhel7-2 certs]# ls
adcs2_chain.p7b  ca.cer

[root@rhel7-2 certs]# openssl pkcs7 -print_certs -in
/root/certs/adcs2_chain.p7b -inform DER -out /root/certs/adcs2_chain.pem

[root@rhel7-2 certs]# ipa-cacert-manage renew
--external-cert-file=/root/certs/adcs2_chain.pem
--external-cert-file=/root/certs/ca.cer -p Secret123
Importing the renewed CA certificate, please wait
Not compatible with the current CA certificate: %s
Command ''/usr/bin/certutil' '-d' '/tmp/tmpAYIjfk' '-A' '-n' 'IPA CA' '-t'
'C,,'' returned non-zero exit status 255


Version-Release number of selected component (if applicable):

ipa-server-4.1.0-10.el7.x86_64
certmonger-0.75.14-2.el7.x86_64
nss-tools-3.16.2.3-2.el7.x86_64


How reproducible:
unknown

Steps to Reproduce:
1.  Install IPA server
2.  ipa-cacert-manage renew --external-ca
3.  copy CSR to windows ADCS server
4.  sign cert
5.  copy cert and ADCS CA cert chain to IPA server
6.  convert ADCS CA cert chain from p7b to DER pem
    openssl pkcs7 -print_certs -in <p7b_file> -inform DER -out <pem_file>
7.  ipa-cacert-manage renew --external-cert-file=<pem_file>
--external-cert-file=<cacert> -p <password>

Actual results:
fails like above

Expected results:
no fail

Additional info:

jcholast commented 9 years ago

This is not really a bug, turns out the subject names are encoded differently in the original and renewed CA certs. However, this should be specifically checked for and a proper error should be returned.

jcholast commented 9 years ago

master:

f7f3c83 Check subject name encoding in ipa-cacert-manage renew
8f9c598 Refer the user to freeipa.org when something goes wrong in ipa-cacert-manage

ipa-4-1:

731035e Check subject name encoding in ipa-cacert-manage renew
3cb2f5e Refer the user to freeipa.org when something goes wrong in ipa-cacert-manage

Metadata Update from @jcholast:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.1.3

7 years ago

Metadata

Assignee

jcholast

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.1.3

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

dkupka, mbasti

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1169591

tester

None

changelog

None

design

None

freeipa

Source Code

#4781 RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible Closed: Fixed None Opened 9 years ago by jcholast.

Metadata

#4781 RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible

Closed: Fixed None Opened 9 years ago by jcholast.