Bug 1129558

Summary:	Windows Server 2012 CA does not accept CSR generated by IdM External CA installation
Product:	Red Hat Enterprise Linux 7	Reporter:	Martin Kosek <mkosek>
Component:	ipa	Assignee:	Martin Kosek <mkosek>
Status:	CLOSED ERRATA	QA Contact:	Namita Soman <nsoman>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.0	CC:	aakkiang, atolani, bharrington, cfu, dbible, dpal, edewata, jcholast, kburres, mharmsen, mkosek, nkinder, rcritten, spoore
Target Milestone:	pre-dev-freeze
Target Release:	7.1
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:	ipa-4.1.0-4.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:	790924	Environment:
Last Closed:	2015-03-05 10:13:13 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	790924, 1111320, 1151147
Bug Blocks:	530474

Description Martin Kosek 2014-08-13 07:57:19 UTC

+++ This bug was initially created as a clone of Bug #790924 +++

Description of problem:

When pkisilent is run with the "-external" flag there are no X.509 v3 extensions added to the certificate signing request (CSR) to signify to the certificate authority (CA) that the request is for a subordinate CA.  This situation manifests in conditions where the CA is not a Red Hat Certificate Server.

Version-Release number of selected component (if applicable):
[root@opskzld31 log]# rpm -qif `which pkisilent`
Name        : pki-silent                   Relocations: (not relocatable)
Version     : 9.0.3                             Vendor: Red Hat, Inc.
Release     : 20.el6                        Build Date: Mon 03 Oct 2011 08:08:55 PM EDT
Install Date: Mon 30 Jan 2012 12:34:19 PM EST      Build Host: x86-002.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: pki-core-9.0.3-20.el6.src.rpm
Size        : 339099                           License: GPLv2
Signature   : RSA/8, Mon 07 Nov 2011 10:17:28 AM EST, Key ID 199e2f91fd431d51
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Silent Installer


How reproducible:


Steps to Reproduce:
1. Run pkisilent with the -external and -external_csr flags
2. ...
3. (no) Profit
  
Actual results:
[root@opskzld31 ssl_test]# cat dogtag.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIIC0jCCAboCAQAwfjELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s
aW5hMRAwDgYDVQQHEwdSYWxlaWdoMRUwEwYDVQQKEwxSZWQgSGF0LCBJbmMxLTAr
BgNVBAMTJERvZ3RhZyBTdWJvcmRpbmF0ZSBTaWduaW5nIEF1dGhvcml0eTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKSQZD1pB3nVMKEmhtflfplj6xW6
aR5ulle+oWprk8n22RaWX3qsxPo1cgaYXutJ9Zm2ZyOFdR9bE6lt5kyinDcWyiCL
xbnKhe6h/jTv7Y88lV3H/sY4qGBtmGssREJLVzH0QhGbq1Sm4rc3drRDZZj34lMv
pLoQO30YZqo/aV7H5CnszdVVPD5XAfF+2ui91Wq/C7bVNtyrqpcS17e+nbELhFkn
TqcISZsHnMVCeX1IAeMcN+cvAe6secwPkPI1xfOUJ1dAUQErcEwipDOaMRXVkkKf
I1ARz/EaHHQSLp/fguGwEVV6RBNU9rYNyZ6BGqpjexCEdeF4qWMoPWIByt8CAwEA
AaAPMA0GCSqGSIb3DQEJDjEAMA0GCSqGSIb3DQEBBQUAA4IBAQCUkV9hFQMsJzYk
9lq4Js4KsPTwYAWNTAPCzlaA77RO7coHN06xh8gkXC+MqSA5uiBqKh9BYQ9XL2h5
Q4JxI0SqUK5k/jtZjoha0Ve6mMssovxo0r36YUZP0gK8SOaB04uqfmw58OquhVUV
ANk4mdyFCyHY03yttmapA3/dGZRfZ+YdEQ9G7or2Hb3+8DJp0V8orni1nQByvzus
IZEYW72zLI1PgOdaP8AXA3OZq01NrUwkXyPH/IWJg3Be7KV/q4CYNxi2OlhFSfqI
B7JOMfe7oZUc7IRCFIQ/4dt36Rz6IDuKJ/dLuPQe34/JVTeqnPpdF18JRqzrvk7i
2NHJJPFI
-----END CERTIFICATE REQUEST-----
[root@opskzld31 ssl_test]# openssl req -in dogtag.csr -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc, CN=Dogtag Subordinate Signing Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a4:90:64:3d:69:07:79:d5:30:a1:26:86:d7:e5:
                    7e:99:63:eb:15:ba:69:1e:6e:96:57:be:a1:6a:6b:
                    93:c9:f6:d9:16:96:5f:7a:ac:c4:fa:35:72:06:98:
                    5e:eb:49:f5:99:b6:67:23:85:75:1f:5b:13:a9:6d:
                    e6:4c:a2:9c:37:16:ca:20:8b:c5:b9:ca:85:ee:a1:
                    fe:34:ef:ed:8f:3c:95:5d:c7:fe:c6:38:a8:60:6d:
                    98:6b:2c:44:42:4b:57:31:f4:42:11:9b:ab:54:a6:
                    e2:b7:37:76:b4:43:65:98:f7:e2:53:2f:a4:ba:10:
                    3b:7d:18:66:aa:3f:69:5e:c7:e4:29:ec:cd:d5:55:
                    3c:3e:57:01:f1:7e:da:e8:bd:d5:6a:bf:0b:b6:d5:
                    36:dc:ab:aa:97:12:d7:b7:be:9d:b1:0b:84:59:27:
                    4e:a7:08:49:9b:07:9c:c5:42:79:7d:48:01:e3:1c:
                    37:e7:2f:01:ee:ac:79:cc:0f:90:f2:35:c5:f3:94:
                    27:57:40:51:01:2b:70:4c:22:a4:33:9a:31:15:d5:
                    92:42:9f:23:50:11:cf:f1:1a:1c:74:12:2e:9f:df:
                    82:e1:b0:11:55:7a:44:13:54:f6:b6:0d:c9:9e:81:
                    1a:aa:63:7b:10:84:75:e1:78:a9:63:28:3d:62:01:
                    ca:df
                Exponent: 65537 (0x10001)
        Attributes:
    Signature Algorithm: sha1WithRSAEncryption
        94:91:5f:61:15:03:2c:27:36:24:f6:5a:b8:26:ce:0a:b0:f4:
        f0:60:05:8d:4c:03:c2:ce:56:80:ef:b4:4e:ed:ca:07:37:4e:
        b1:87:c8:24:5c:2f:8c:a9:20:39:ba:20:6a:2a:1f:41:61:0f:
        57:2f:68:79:43:82:71:23:44:aa:50:ae:64:fe:3b:59:8e:88:
        5a:d1:57:ba:98:cb:2c:a2:fc:68:d2:bd:fa:61:46:4f:d2:02:
        bc:48:e6:81:d3:8b:aa:7e:6c:39:f0:ea:ae:85:55:15:00:d9:
        38:99:dc:85:0b:21:d8:d3:7c:ad:b6:66:a9:03:7f:dd:19:94:
        5f:67:e6:1d:11:0f:46:ee:8a:f6:1d:bd:fe:f0:32:69:d1:5f:
        28:ae:78:b5:9d:00:72:bf:3b:ac:21:91:18:5b:bd:b3:2c:8d:
        4f:80:e7:5a:3f:c0:17:03:73:99:ab:4d:4d:ad:4c:24:5f:23:
        c7:fc:85:89:83:70:5e:ec:a5:7f:ab:80:98:37:18:b6:3a:58:
        45:49:fa:88:07:b2:4e:31:f7:bb:a1:95:1c:ec:84:42:14:84:
        3f:e1:db:77:e9:1c:fa:20:3b:8a:27:f7:4b:b8:f4:1e:df:8f:
        c9:55:37:aa:9c:fa:5d:17:5f:09:46:ac:eb:be:4e:e2:d8:d1:
        c9:24:f1:48


Expected results:
[root@opskzld31 ssl_test]# cat dogtag.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIIDAjCCAeoCAQAwfjELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s
aW5hMRAwDgYDVQQHEwdSYWxlaWdoMRUwEwYDVQQKEwxSZWQgSGF0LCBJbmMxLTAr
BgNVBAMTJERvZ3RhZyBTdWJvcmRpbmF0ZSBTaWduaW5nIEF1dGhvcml0eTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKSQZD1pB3nVMKEmhtflfplj6xW6
aR5ulle+oWprk8n22RaWX3qsxPo1cgaYXutJ9Zm2ZyOFdR9bE6lt5kyinDcWyiCL
xbnKhe6h/jTv7Y88lV3H/sY4qGBtmGssREJLVzH0QhGbq1Sm4rc3drRDZZj34lMv
pLoQO30YZqo/aV7H5CnszdVVPD5XAfF+2ui91Wq/C7bVNtyrqpcS17e+nbELhFkn
TqcISZsHnMVCeX1IAeMcN+cvAe6secwPkPI1xfOUJ1dAUQErcEwipDOaMRXVkkKf
I1ARz/EaHHQSLp/fguGwEVV6RBNU9rYNyZ6BGqpjexCEdeF4qWMoPWIByt8CAwEA
AaA/MD0GCSqGSIb3DQEJDjEwMC4wDAYDVR0TBAUwAwEB/zARBglghkgBhvhCAQEE
BAMCAgQwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQB2uliTrHYQkjeb
HVKWg6n5TyyosweFC/QTTis7m7SmlCVMQri63Yp3vXYU2dQ0veAglcECxANVAqZu
9fsrRcvB+NEBrVycEA/VZd1gZ3y/Bw/ByJsk7CIlRdtRivuupDVF1dILjff+vMz8
qVh5Z15d6ff3m6p3IqTBxJjeUNmqRFkLMEJJmDqkM4R5adMU+rCI4V9ILwlO2g0s
tgWMaMFe82GET+TwW+I+NMRWO67S+slJzOP04hDVK0iSC93MbooFPoOArhrQVwmX
zYZY+llnbYdaILHDNt3P/WWMgAiTmlEksaJbL8UCTRQRP881IpguqJZDP1O5uVhU
OjNA13M+
-----END CERTIFICATE REQUEST-----
[root@opskzld31 ssl_test]# openssl req -in dogtag.csr -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc, CN=Dogtag Subordinate Signing Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a4:90:64:3d:69:07:79:d5:30:a1:26:86:d7:e5:
                    7e:99:63:eb:15:ba:69:1e:6e:96:57:be:a1:6a:6b:
                    93:c9:f6:d9:16:96:5f:7a:ac:c4:fa:35:72:06:98:
                    5e:eb:49:f5:99:b6:67:23:85:75:1f:5b:13:a9:6d:
                    e6:4c:a2:9c:37:16:ca:20:8b:c5:b9:ca:85:ee:a1:
                    fe:34:ef:ed:8f:3c:95:5d:c7:fe:c6:38:a8:60:6d:
                    98:6b:2c:44:42:4b:57:31:f4:42:11:9b:ab:54:a6:
                    e2:b7:37:76:b4:43:65:98:f7:e2:53:2f:a4:ba:10:
                    3b:7d:18:66:aa:3f:69:5e:c7:e4:29:ec:cd:d5:55:
                    3c:3e:57:01:f1:7e:da:e8:bd:d5:6a:bf:0b:b6:d5:
                    36:dc:ab:aa:97:12:d7:b7:be:9d:b1:0b:84:59:27:
                    4e:a7:08:49:9b:07:9c:c5:42:79:7d:48:01:e3:1c:
                    37:e7:2f:01:ee:ac:79:cc:0f:90:f2:35:c5:f3:94:
                    27:57:40:51:01:2b:70:4c:22:a4:33:9a:31:15:d5:
                    92:42:9f:23:50:11:cf:f1:1a:1c:74:12:2e:9f:df:
                    82:e1:b0:11:55:7a:44:13:54:f6:b6:0d:c9:9e:81:
                    1a:aa:63:7b:10:84:75:e1:78:a9:63:28:3d:62:01:
                    ca:df
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            Netscape Cert Type: 
                SSL CA
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
    Signature Algorithm: sha1WithRSAEncryption
        76:ba:58:93:ac:76:10:92:37:9b:1d:52:96:83:a9:f9:4f:2c:
        a8:b3:07:85:0b:f4:13:4e:2b:3b:9b:b4:a6:94:25:4c:42:b8:
        ba:dd:8a:77:bd:76:14:d9:d4:34:bd:e0:20:95:c1:02:c4:03:
        55:02:a6:6e:f5:fb:2b:45:cb:c1:f8:d1:01:ad:5c:9c:10:0f:
        d5:65:dd:60:67:7c:bf:07:0f:c1:c8:9b:24:ec:22:25:45:db:
        51:8a:fb:ae:a4:35:45:d5:d2:0b:8d:f7:fe:bc:cc:fc:a9:58:
        79:67:5e:5d:e9:f7:f7:9b:aa:77:22:a4:c1:c4:98:de:50:d9:
        aa:44:59:0b:30:42:49:98:3a:a4:33:84:79:69:d3:14:fa:b0:
        88:e1:5f:48:2f:09:4e:da:0d:2c:b6:05:8c:68:c1:5e:f3:61:
        84:4f:e4:f0:5b:e2:3e:34:c4:56:3b:ae:d2:fa:c9:49:cc:e3:
        f4:e2:10:d5:2b:48:92:0b:dd:cc:6e:8a:05:3e:83:80:ae:1a:
        d0:57:09:97:cd:86:58:fa:59:67:6d:87:5a:20:b1:c3:36:dd:
        cf:fd:65:8c:80:08:93:9a:51:24:b1:a2:5b:2f:c5:02:4d:14:
        11:3f:cf:35:22:98:2e:a8:96:43:3f:53:b9:b9:58:54:3a:33:
        40:d7:73:3e

Additional info:

...
--- Additional comment from Martin Kosek on 2014-07-29 07:57:46 EDT ---

I did a quick test with

ipa-server-3.3.3-28.el7.x86_64
pki-ca-10.0.5-3.el7.noarch

and generated a IPA with CSR request:

# ipa-server-install --external-ca
...
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/6]: creating certificate server user
  [2/6]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install as:
ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate

# openssl req -in /root/ipa.csr -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: O=IDM.LAB.BOS.REDHAT.COM, CN=Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9e:51:15:d4:44:3c:b0:ef:87:fc:fa:09:a7:a8:
                    db:4c:01:5e:1f:b1:32:86:99:ca:c8:d3:ae:e0:65:
                    d3:c2:58:64:67:5c:99:1b:df:92:1f:f9:e3:13:cc:
                    b7:54:a4:b7:95:98:f6:b0:7b:40:c2:9f:79:22:7b:
                    bb:67:3e:d2:f4:82:0b:8a:2d:10:f1:ba:20:63:8f:
                    ce:5b:3f:0b:00:b7:2c:47:e6:98:64:9f:df:42:af:
                    ff:de:ec:69:14:fa:76:77:be:fa:26:6f:82:55:9a:
                    61:f5:04:f2:c0:7a:27:d2:83:d1:e6:9e:a8:55:1e:
                    9e:b3:a6:a4:f3:c4:73:35:62:fc:8e:e5:bd:81:fc:
                    7c:50:36:7c:de:c7:d5:74:36:85:e3:05:8e:e8:e5:
                    a2:c7:11:89:c7:fe:56:38:57:10:dd:31:cc:7b:6c:
                    21:24:50:fe:f6:8b:4a:14:6c:d0:f6:f5:09:e7:33:
                    39:13:27:7e:d2:35:d3:97:f5:62:f1:84:33:17:3f:
                    95:99:27:9b:c5:a0:59:0f:ba:ae:c0:4e:18:87:0d:
                    e3:a8:0b:3d:be:31:f8:25:2b:67:e9:59:b8:6f:50:
                    d5:f2:72:68:16:41:af:10:a9:5a:17:d3:df:1f:33:
                    b5:df:e2:0c:7d:e4:c0:f9:39:73:47:0b:d9:b4:0f:
                    8c:6b
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         06:c9:c8:ff:37:4b:75:d3:5d:4e:56:c7:fa:22:7d:6d:f1:fd:
         64:96:0d:90:28:c9:4d:77:cc:ec:54:69:23:07:49:34:e4:e2:
         15:10:8a:ac:f5:12:4f:65:d9:82:e1:96:74:c7:45:0b:e4:09:
         db:d0:c9:03:57:6c:51:7b:65:ac:2f:06:13:f0:20:bc:a4:41:
         9b:8f:1b:e8:e3:26:5b:da:43:31:c2:41:93:da:c2:8b:a2:c6:
         3e:8c:66:a3:a1:94:f5:0a:27:96:c2:11:89:cb:a9:64:0f:09:
         ab:44:c9:7a:44:18:94:3f:29:5a:78:c4:e1:e4:df:e0:70:7f:
         52:be:1b:f3:e7:73:d9:f9:4d:16:38:6c:85:43:a1:74:05:d6:
         eb:eb:a4:93:12:b6:10:98:81:31:97:f5:03:9d:b7:f3:7c:e6:
         18:9e:1c:5d:c0:94:bd:27:0d:0f:a2:f5:24:a5:74:c7:13:45:
         5d:36:b4:a3:e8:2f:a5:8a:5f:1e:30:62:33:71:65:49:4e:6f:
         ce:3c:f2:d0:3e:88:e2:d1:d6:fc:b8:d0:9b:94:8b:47:63:43:
         cd:0b:49:f9:ff:06:c6:80:67:81:9c:89:b1:47:a5:c1:95:38:
         ec:70:0b:7b:13:26:99:27:a7:97:5a:64:d3:d0:6d:63:f5:41:
         82:7f:c5:f5
-----BEGIN CERTIFICATE REQUEST-----
MIIChjCCAW4CAQAwQTEfMB0GA1UEChMWSURNLkxBQi5CT1MuUkVESEFULkNPTTEe
MBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAnlEV1EQ8sO+H/PoJp6jbTAFeH7EyhpnKyNOu4GXTwlhk
Z1yZG9+SH/njE8y3VKS3lZj2sHtAwp95Inu7Zz7S9IILii0Q8bogY4/OWz8LALcs
R+aYZJ/fQq//3uxpFPp2d776Jm+CVZph9QTywHon0oPR5p6oVR6es6ak88RzNWL8
juW9gfx8UDZ83sfVdDaF4wWO6OWixxGJx/5WOFcQ3THMe2whJFD+9otKFGzQ9vUJ
5zM5Eyd+0jXTl/Vi8YQzFz+VmSebxaBZD7quwE4Yhw3jqAs9vjH4JStn6Vm4b1DV
8nJoFkGvEKlaF9PfHzO13+IMfeTA+TlzRwvZtA+MawIDAQABoAAwDQYJKoZIhvcN
AQELBQADggEBAAbJyP83S3XTXU5Wx/oifW3x/WSWDZAoyU13zOxUaSMHSTTk4hUQ
iqz1Ek9l2YLhlnTHRQvkCdvQyQNXbFF7ZawvBhPwILykQZuPG+jjJlvaQzHCQZPa
wouixj6MZqOhlPUKJ5bCEYnLqWQPCatEyXpEGJQ/KVp4xOHk3+Bwf1K+G/Pnc9n5
TRY4bIVDoXQF1uvrpJMSthCYgTGX9QOdt/N85hieHF3AlL0nDQ+i9SSldMcTRV02
tKPoL6WKXx4wYjNxZUlOb8488tA+iOLR1vy40JuUi0djQ80LSfn/BsaAZ4GcibFH
pcGVOOxwC3sTJpknp5daZNPQbWP1QYJ/xfU=
-----END CERTIFICATE REQUEST-----

and found that the resulting CSR is indeed not digestable by Windows 2012 Server CA. I will attach a screenshot with exact error message.

...
--- Additional comment from Christina Fu on 2014-07-29 12:46:48 EDT ---

The idea that I shared with atolani was the following (Note: I don't know where IPA places things so it's more of an idea than exact steps):
To do "external CA", the tool has to be run twice, as I
understand.  The first time is to generate the CSR, and the 2nd time is to
install the cert after submitting the CSR to the CA. The idea is that the CSR
 could be replaced at that time in between the two runs of the tool.  You regenerate the CSR with whatever tool that suits you. During that time, you want to also swap in the keys.  Once you have swapped in the keys to the proper location (where the keys are was something atolani was to find out), and the CSR, submit the proper CSR to the external CA and you can continue from there.

atolani, I suggest you put in the detailed steps after your experiment if you get it to work.

Incidentally, I was thinking about how useful it would be if one could just reuse existing keypair to generate a new CSR with different extensions. If no such tool exists, we can possibly consider that for the future.

I think the fix for the issue at hand is probably not just to add BasicConstraint extension to a subordinate CA. Rather, we should consider allowing one to craft the CSR in finer details.
Of course when the "external CA" is our own Dogtag CA then such issue does not exist because we have enrollment profiles to serve the purpose on the server end.

--- Additional comment from Martin Kosek on 2014-07-30 02:51:49 EDT ---

Thanks Christina. JFTR, this is indeed a 2 step installation. First, ipa-server-install is run with --external-ca, when CSR is signed, it is run again with --external_cert_file and --external_ca_file options. See

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-ca-options.html#install-ca-external

for details.

IPA in RHEL-7.0 generates the CSR in /root/ipa.csr. PKI is installed in /var/lib/pki/pki-tomcat/. I am not sure where the key is though. /var/lib/pki/pki-tomcat/ca/alias/ contains just the "Server-Cert cert-pki-ca".

Comment 1 Martin Kosek 2014-08-13 07:58:42 UTC

This Bugzilla is to make sure that IdM is capable of easy enrolling as subCA to MS CA 2012 service. It depends on change in PKI to generate proper CSR.

Comment 3 Martin Kosek 2014-08-14 14:36:20 UTC

== Workaround ==

When testing a fix for Bug 1111320 I managed to enroll IPA as a subCA to Microsoft Windows Server 2012 CA. I just must not request the certificate via Web UI (by passing ipa.csr generated by --external-ca installation), but I had to request it via command line:

certreq.exe -submit -attrib "CertificateTemplate:SubCA" ipa.csr mkad2012-ipa-ca

With the patch for 1111320, the IPA installation succeed. See Bug 1111320, Comment 27 for details.

Comment 4 Martin Kosek 2014-08-15 06:55:28 UTC

I prepared a chapter on FreeIPA upstream wiki with the workaround mentioned in Comment 3 to spread the information further:

http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure

Comment 6 Martin Kosek 2014-08-15 13:43:39 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4496

Comment 7 Martin Kosek 2014-08-20 07:47:27 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4489

Comment 8 Martin Kosek 2014-08-20 07:50:42 UTC

*** Bug 1129561 has been marked as a duplicate of this bug. ***

Comment 9 Martin Kosek 2014-08-20 08:01:32 UTC

This should be done in the same release as our external CA chaining tool RFE tracked in Bug 886645.

Comment 10 Martin Kosek 2014-09-30 06:55:27 UTC

Usability fixes in upstream CA related installation options:

master:
https://fedorahosted.org/freeipa/changeset/60ecba77cd98f37be0d2c0f69efd307a687e59dc
https://fedorahosted.org/freeipa/changeset/3aa0731fc660ea3d111a44926ab5dea71dc510e7
https://fedorahosted.org/freeipa/changeset/88083887c994ab505d6e07151e5dd26b56bb7732
https://fedorahosted.org/freeipa/changeset/3cde7e9cfd7908b24082e3e50cdd0955726223d0
https://fedorahosted.org/freeipa/changeset/83cbfa8eaee6b2b84eb9fe9e514a339780df81b5

ipa-4-1:
https://fedorahosted.org/freeipa/changeset/b93bdb7b3ef0f9229b1bb2f5e4db1c4efc1616ea
https://fedorahosted.org/freeipa/changeset/6136a3eb5d943792853359047770b0d85568d4fd
https://fedorahosted.org/freeipa/changeset/a29ee452c4c1b776521869f87433605dc9dd8e77
https://fedorahosted.org/freeipa/changeset/01623f70d85065d48433d26e4d42c885a49989e8
https://fedorahosted.org/freeipa/changeset/0c4d7dabf3e3642451ecaac7837f08011ac772dd

Comment 11 Martin Kosek 2014-10-10 07:58:53 UTC

== WORKAROUND 2 ==
When quickly checking the Bug 1151147 that Jan filed, I found a workaround on AD site how to force AD to issue certificates with UTF-8 encoding of certificate commonName field. You would need to follow section "Enforce UTF8 encoding"

http://support.microsoft.com/kb/888180

and type following commands (tested on my Windows Server 2012):

certutil -setreg ca\forceteletex +0x20
net stop certsvc
net start cersvc

Comment 12 Martin Kosek 2014-10-13 10:24:20 UTC

FreeIPA command line support is fixed upstream, we are just waiting what will be the next steps with Bug 1151147.

master:
* 4cdeacdedfe344e570da99548043a07a6fa24dbe Support MS CS as the external CA in ipa-server-install and ipa-ca-install
ipa-4-1:
* fdf46ac1c330e70893d6d13f1be24ee5063d27c6 Support MS CS as the external CA in ipa-server-install and ipa-ca-install


To install FreeIPA with MS external CA, use command line switch --external-ca-type=ms-cs

Comment 13 Martin Kosek 2014-10-20 08:50:51 UTC

Bumping pki-ca Requires was delayed to upstream ticket
https://fedorahosted.org/freeipa/ticket/4645

We should not stall this feature, there exists an workaround + PKI bug is filed and acknowledged.

Comment 15 Jan Cholasta 2014-11-06 13:46:56 UTC

Require pki-core-10.1.2-4.el7 now that bug 1151147 was fixed.

Comment 16 Scott Poore 2015-01-15 02:38:52 UTC

Verified.

Version ::

Results ::

[root@vm1 mscs]# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r EXAMPLE.TEST -a Secret123 -p Secret123 --external-ca -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

Warning: skipping DNS resolution of host vm1.example.test
The domain name has been determined based on the host name.

Adding [192.168.122.201 vm1.example.test] to your /etc/hosts file
Checking forwarders, please wait ...
WARNING: DNS forwarder 192.168.122.1 does not return DNSSEC signatures in answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive "dnssec-enable yes;" to "options {}")
WARNING: DNSSEC validation will be disabled
Using reverse zone(s) 122.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:       vm1.example.test
IP address(es): 192.168.122.201
Domain name:    example.test
Realm name:     EXAMPLE.TEST

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    192.168.122.1
Reverse zone(s):  122.168.192.in-addr.arpa.

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/38]: creating directory server user
  [2/38]: creating directory server instance
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configuring replication version plugin
  [7/38]: enabling IPA enrollment plugin
  [8/38]: enabling ldapi
  [9/38]: configuring uniqueness plugin
  [10/38]: configuring uuid plugin
  [11/38]: configuring modrdn plugin
  [12/38]: configuring DNS plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: creating indices
  [16/38]: enabling referential integrity plugin
  [17/38]: configuring certmap.conf
  [18/38]: configure autobind for root
  [19/38]: configure new location for managed entries
  [20/38]: configure dirsrv ccache
  [21/38]: enable SASL mapping fallback
  [22/38]: restarting directory server
  [23/38]: adding default layout
  [24/38]: adding delegation layout
  [25/38]: creating container for managed entries
  [26/38]: configuring user private groups
  [27/38]: configuring netgroups from hostgroups
  [28/38]: creating default Sudo bind user
  [29/38]: creating default Auto Member layout
  [30/38]: adding range check plugin
  [31/38]: creating default HBAC rule allow_all
  [32/38]: initializing group membership
  [33/38]: adding master entry
  [34/38]: configuring Posix uid/gid generation
  [35/38]: adding replication acis
  [36/38]: enabling compatibility plugin
  [37/38]: tuning directory server
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/8]: creating certificate server user
  [2/8]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as:
/usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate

Here I copied ipa.csr to Windows Server 2012 ADCS server and signed it and copied signed cert and the AD CA cert chain back to complete the setup.

It should be noted that I used the web enrollment interface for this.

[root@vm1 ~]# ls
adca_chain.p7b   ca-agent.p12  certnew.cer  ipa_qe_certs.py  tw.py
anaconda-ks.cfg  cacert.p12    ipa.csr      mscs

[root@vm1 ~]# openssl pkcs7 -print_certs -in adca_chain.p7b -inform DER -out adca_chain.pem

[root@vm1 ~]# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r EXAMPLE.TEST -a Secret123 -p Secret123 -U --external-cert-file=/root/certnew.cer --external-cert-file=/root/adca_chain.pem 

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the IPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the Network Time Daemon (ntpd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure DNS (bind)

Warning: skipping DNS resolution of host vm1.example.test
Checking forwarders, please wait ...
WARNING: DNS forwarder 192.168.122.1 does not return DNSSEC signatures in answers
Please fix forwarder configuration to enable DNSSEC support.
(For BIND 9 add directive "dnssec-enable yes;" to "options {}")
Using reverse zone(s) 122.168.192.in-addr.arpa.

The IPA Master Server will be configured with:
Hostname:       vm1.example.test
IP address(es): 192.168.122.201
Domain name:    example.test
Realm name:     EXAMPLE.TEST

BIND DNS server will be configured to serve IPA domain with:
Forwarders:    192.168.122.1
Reverse zone(s):  122.168.192.in-addr.arpa.

Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds
  [1/27]: creating certificate server user
  [2/27]: configuring certificate server instance
  [3/27]: stopping certificate server instance to update CS.cfg
  [4/27]: backing up CS.cfg
  [5/27]: disabling nonces
  [6/27]: set up CRL publishing
  [7/27]: enable PKIX certificate path discovery and validation
  [8/27]: starting certificate server instance
  [9/27]: creating RA agent certificate database
  [10/27]: importing CA chain to RA certificate database
  [11/27]: fixing RA database permissions
  [12/27]: setting up signing cert profile
  [13/27]: set certificate subject base
  [14/27]: enabling Subject Key Identifier
  [15/27]: enabling Subject Alternative Name
  [16/27]: enabling CRL and OCSP extensions for certificates
  [17/27]: setting audit signing renewal to 2 years
  [18/27]: configuring certificate server to start on boot
  [19/27]: restarting certificate server
  [20/27]: requesting RA certificate from CA
  [21/27]: issuing RA agent certificate
  [22/27]: adding RA agent as a trusted user
  [23/27]: configure certmonger for renewals
  [24/27]: configure certificate renewals
  [25/27]: configure RA certificate renewal
  [26/27]: configure Server-Cert certificate renewal
  [27/27]: Configure HTTP to proxy connections
Done configuring certificate server (pki-tomcatd).
Configuring directory server (dirsrv): Estimated time 10 seconds
  [1/3]: configuring ssl for ds instance
  [2/3]: restarting directory server
  [3/3]: adding CA certificate entry
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds
  [1/10]: adding sasl mappings to the directory
  [2/10]: adding kerberos container to the directory
  [3/10]: configuring KDC
  [4/10]: initialize kerberos container
  [5/10]: adding default ACIs
  [6/10]: creating a keytab for the directory
  [7/10]: creating a keytab for the machine
  [8/10]: adding the password extension to the directory
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring ipa_memcached
  [1/2]: starting ipa_memcached 
  [2/2]: configuring ipa_memcached to start on boot
Done configuring ipa_memcached.
Configuring ipa-otpd
  [1/2]: starting ipa-otpd 
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring the web interface (httpd): Estimated time 1 minute
  [1/16]: setting mod_nss port to 443
  [2/16]: setting mod_nss protocol list to TLSv1.0 - TLSv1.1
  [3/16]: setting mod_nss password file
  [4/16]: enabling mod_nss renegotiate
  [5/16]: adding URL rewriting rules
  [6/16]: configuring httpd
  [7/16]: configure certmonger for renewals
  [8/16]: setting up ssl
  [9/16]: importing CA certificates from LDAP
  [10/16]: setting up browser autoconfig
  [11/16]: publish CA cert
  [12/16]: creating a keytab for httpd
  [13/16]: clean up any existing httpd ccache
  [14/16]: configuring SELinux for httpd
  [15/16]: restarting httpd
  [16/16]: configuring httpd to start on boot
Done configuring the web interface (httpd).
Applying LDAP updates
Restarting Directory server to apply updates
  [1/2]: stopping directory server
  [2/2]: starting directory server
Done.
Restarting the directory server
Restarting the KDC
Restarting the certificate server
Configuring DNS (named)
  [1/12]: generating rndc key file
  [2/12]: adding DNS container
  [3/12]: setting up our zone
  [4/12]: setting up reverse zone
  [5/12]: setting up our own record
  [6/12]: setting up records for other masters
  [7/12]: adding NS record to the zones
  [8/12]: setting up CA record
  [9/12]: setting up kerberos principal
  [10/12]: setting up named.conf
  [11/12]: configuring named to start on boot
  [12/12]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting named

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
==============================================================================
Setup complete

Next steps:
	1. You must make sure these network ports are open:
		TCP Ports:
		  * 80, 443: HTTP/HTTPS
		  * 389, 636: LDAP/LDAPS
		  * 88, 464: kerberos
		  * 53: bind
		UDP Ports:
		  * 88, 464: kerberos
		  * 53: bind
		  * 123: ntp

	2. You can now obtain a kerberos ticket using the command: 'kinit admin'
	   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
	   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

Comment 18 errata-xmlrpc 2015-03-05 10:13:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html