#5799 Errors from AD when trying to sign ipa.csr, conflicting template on
Closed: fixed 6 years ago Opened 7 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1322963

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem: Windows 2012AD cannot sign csr due to this error:

"Submitted CSR is invalid it has embedded with the predefined template name
called ?ipaCSRExport?, While submitting request to Its creating conflicting
with the actual SUBCA template on CA server ."
The field that they are talking about is:

 1.3.6.1.4.1.311.20.2:

Which corresponds to:

...i.p.a.C.S.R.E.x.p.o.r.t

But it looks like MS uses this field for another purpose.

https://support.microsoft.com/en-us/kb/287547

Version-Release number of selected component (if applicable):


How reproducible:
When going through standard signing request, it gives the error.


Steps to Reproduce:
1. Created ipa.csr
2. Sent to W21012 AC to sign
3. Get the above error when attempting normal channels

Can get a signed certificate (but doesn't seem to be a root ca) by doing:

We were able to get a signed cert by doing the following:

Certificate Sign Request (.CSR)

1.) Login to Windows AD box
2.) Install the ?Active Directory Certificate Services? server role (if it is
not installed)
3.) Go to  http://localhost/certsrv/ on AD box
4.) Select ?Request a certificate?
5.) Select ?Or, submit an advanced certificate request?
6.) Select ?Submit a certificate requested by a base-64-encoded CMC or PKCS #10
file, or submit a renewal request by using a base-64-encoded PKCS #7 file?
7.) Open the .CSR in note pad
8.) Copy all of the contents of the .CSR and paste them in ?Saved Request:
Base-64-encoded request (CMC or PKCS #10 or PKCS #7):? test box
9.) Leave ?Certificate Template? and ?Additional Attributes? default
10.) Select ?Submit >?
11.) Select ?Download certificate? and ?Download certificate chain?
12.)  Select ?Save? in the yellow pop-up bar at the bottom of the screen

Actual results:
 IPA could read the cert, but it wasn't a root one

Expected results:
signed CA cert

Additional info:

Important in 4.5 bugfixing phase.

Metadata Update from @pvoborni:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.5

7 years ago

Metadata Update from @mbasti:
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)

7 years ago

Metadata Update from @pvoborni:
- Issue priority set to: blocker (was: critical)

6 years ago

master:
ce9eefe renew agent: respect CA renewal master setting
5abd9bb server upgrade: always fix certmonger tracking request
09a49ad cainstance: use correct profile for lightweight CA certificates
25aeeaf renew agent: allow reusing existing certs
0bf41e8 renew agent: always export CSR on IPA CA certificate renewal
21f4cbf renew agent: get rid of virtual profiles
* b03ede8 ipa-cacert-manage: add --external-ca-type

ipa-4-5:
36fc44b renew agent: respect CA renewal master setting
b55dd9c server upgrade: always fix certmonger tracking request
4a01114 cainstance: use correct profile for lightweight CA certificates
920d56a renew agent: allow reusing existing certs
25b0a9c renew agent: always export CSR on IPA CA certificate renewal
bb95282 renew agent: get rid of virtual profiles
* c56d12a ipa-cacert-manage: add --external-ca-type

Metadata Update from @dkupka:
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @dkupka:
- Issue close_status updated to: fixed

6 years ago

Login to comment on this ticket.

Metadata