Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1169591

Summary: RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: ipaAssignee: Jan Cholasta <jcholast>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: jcholast, mkosek, mnavrati, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.1.0-12.el7 Doc Type: Bug Fix
Doc Text:
The following known issue description has been removed from the RHEL 7.1 Beta Release Notes: Microsoft Certificate Services do not always keep the Subject Name binary encoding as defined in the Certificate Request. When IPA CA certificate signed by an external CA is being renewed using the ipa-cacert-manage command, the subject name of the certificate issued by the Microsoft Certificate Services does not always match the subject name of the originating certificate signing the request on binary level. To work around this problem, when renewing the IPA CA certificate signed by an external CA using ipa-cacert-manage, make sure the subject name of the certificate issued by the external CA matches the subject name of the originating certificate signing request on binary level. This is especially important for Microsoft Certificate Services, which by default uses the PrintableString encoding in subject names of certificates it issues, despite the encoding used in subject name of certificate signing requests. However, uses the UTF8String encoding by default. See http://support.microsoft.com/kb/888180 for instructions on how to configure MS CS to use UTF8String encoding in subject names.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:18:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1168850    

Description Scott Poore 2014-12-02 03:21:31 UTC 
Description of problem:

I'm trying to renew a CA Cert and change from self signed to external CA signed using MS ADCS.

[root@rhel7-2 ~]# ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful

[root@rhel7-2 ~]# cd /root/certs

[root@rhel7-2 certs]# ls
adcs2_chain.p7b  ca.cer

[root@rhel7-2 certs]# openssl pkcs7 -print_certs -in /root/certs/adcs2_chain.p7b -inform DER -out /root/certs/adcs2_chain.pem

[root@rhel7-2 certs]# ipa-cacert-manage renew --external-cert-file=/root/certs/adcs2_chain.pem --external-cert-file=/root/certs/ca.cer -p Secret123
Importing the renewed CA certificate, please wait
Not compatible with the current CA certificate: %s
Command ''/usr/bin/certutil' '-d' '/tmp/tmpAYIjfk' '-A' '-n' 'IPA CA' '-t' 'C,,'' returned non-zero exit status 255


Version-Release number of selected component (if applicable):

ipa-server-4.1.0-10.el7.x86_64
certmonger-0.75.14-2.el7.x86_64
nss-tools-3.16.2.3-2.el7.x86_64


How reproducible:
unknown

Steps to Reproduce:
1.  Install IPA server
2.  ipa-cacert-manage renew --external-ca
3.  copy CSR to windows ADCS server
4.  sign cert
5.  copy cert and ADCS CA cert chain to IPA server
6.  convert ADCS CA cert chain from p7b to DER pem
    openssl pkcs7 -print_certs -in <p7b_file> -inform DER -out <pem_file>
7.  ipa-cacert-manage renew --external-cert-file=<pem_file> --external-cert-file=<cacert> -p <password>

Actual results:
fails like above

Expected results:
no fail

Additional info:
Comment 2 Jan Cholasta 2014-12-02 11:54:52 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4781
Comment 5 Scott Poore 2014-12-04 15:18:47 UTC 
Per Honza and Martin's suggestion:

https://bugzilla.redhat.com/show_bug.cgi?id=1129558#c11

I had to use that workaround to force UTF-8 encoding on ADCS side.

I was then able to use the signed cert.
Comment 8 Jan Cholasta 2014-12-10 17:11:06 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f7f3c83748b3b5d5d968cc3c72145f3c5f23cd8b
https://fedorahosted.org/freeipa/changeset/8f9c5988e2f370cef66a4cd7cf3d363f061a439c
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/731035e526441b93b69fb20c6a6c990cdcdc4899
https://fedorahosted.org/freeipa/changeset/3cb2f5e841f5bac6a8cc02bc9467846b35f7aab8
Comment 10 Scott Poore 2014-12-19 16:53:54 UTC 
Verified.

Version ::

ipa-server-4.1.0-13.el7.x86_64

Results ::

# Just showing here that this is self-signed:

[root@vm1 ~]# getcert list -i 20141219162921
Number of certificates and requests being tracked: 8.
Request ID '20141219162921':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='572794088956'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.TEST
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2034-12-19 16:28:38 UTC
	key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

# Now, try to renew without workaround on AD CS:

[root@vm1 ~]# ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful

[root@vm1 ~]# ls
anaconda-ks.cfg  ca-agent.p12  cacert.p12  ipa-tests

# copied CSR to ADCS and signed and copied back.

[root@vm1 ~]# ls
adcs3_chain.p7b  anaconda-ks.cfg  ca-agent.p12  ca.cer  cacert.p12  ipa-tests

# Convert ADCS CA Chain:

[root@vm1 ~]# openssl pkcs7 -print_certs -in adcs3_chain.p7b -inform DER -out adcs3_chain.pem

# Now I see new error message:

[root@vm1 ~]# ipa-cacert-manage renew --external-cert-file=ca.cer --external-cert-file=adcs3_chain.pem  -p Secret123
Importing the renewed CA certificate, please wait
Subject name encoding mismatch (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
Comment 12 errata-xmlrpc 2015-03-05 10:18:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html