Bug 1200694

Summary: [RFE] Support for multiple cert profiles
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: medium    
Version: 7.0CC: jcholast, mbasti, mnavrati, rcritten, spoore, vmishra
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-5.el7 Doc Type: Release Note
Doc Text:
Support for multiple certificate profiles and user certificates Identity Management now supports multiple profiles for issuing server and other certificates instead of only supporting a single server certificate profile. The profiles are stored in the Directory Server and shared between IdM replicas. In addition, the administrator can now issue certificates to individual users. Previously, it was only possible to issue certificates to hosts and services.
 Story Points: ---
Clone Of:
: 1248469 (view as bug list) Environment:
Last Closed: 2015-11-19 12:01:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1200728, 1248725    
Bug Blocks: 1181710    

Description Martin Kosek 2015-03-11 08:32:29 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/57

We currently support a single certificate profile, for issuing server certs. If we are going to need to issue certificates for other profiles (e.g. tickets #53, 55) then we need to add the plumbing for that.

Profiles will be stored in Dogtag. A small amount of metadata will be stored in FreeIPA's directory to track these profiles, store their current state (enabled, disabled) and mapping to groups that are allowed to use the profile.

IPA must be modified to respect the profile parameter in requests from Certmonger (currently ignored).

Rich profile management (use of a command-line tool or Web UI to build new profiles for use with FreeIPA, rather than the presuppose the existence of a profile) can be implemented on top of the basic profiles support, if there is demand. At a minimum, there should be tutorials and improved documentation in Dogtag for how to define certificate profiles.
Comment 1 Petr Vobornik 2015-04-07 13:11:49 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4970
Comment 2 Petr Vobornik 2015-04-14 15:29:33 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2915
Comment 3 Petr Vobornik 2015-04-14 15:45:15 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4752
Comment 4 Jan Cholasta 2015-06-04 08:35:12 UTC 
master:
https://fedorahosted.org/freeipa/changeset/3d15f2966bf389c5f66386a973c1d4a58595fc65
https://fedorahosted.org/freeipa/changeset/273a297e97f157fb596cd9be0dc75a1382b94cfc
https://fedorahosted.org/freeipa/changeset/35af0d6d66e623012755acca44bd77186067d156
https://fedorahosted.org/freeipa/changeset/300b74fc7fb2a5ce540b2d21189794a5b2db88b1
https://fedorahosted.org/freeipa/changeset/4cf2bfcaa62e9220fdeee952bf719452884507cd
https://fedorahosted.org/freeipa/changeset/a931d3edc00f7578223df2afeebdf2da3dd85a68
Comment 5 Jan Cholasta 2015-06-11 10:51:20 UTC 
master:
https://fedorahosted.org/freeipa/changeset/bc0c60688505968daf6851e3e179aab20e23af7d
https://fedorahosted.org/freeipa/changeset/947af1a037609fa42cbfd794301d5a5c4061c81b
Comment 6 Martin Kosek 2015-06-30 10:47:41 UTC 
The functionality is there. From now on, the feature is in bugfixing mode upstream.
Comment 7 Martin Kosek 2015-07-07 12:25:40 UTC 
Ticket 4970 was unlinked from this Bugzilla, it was postponed upstream:

https://fedorahosted.org/freeipa/ticket/4970#comment:10
Comment 9 Jan Cholasta 2015-07-15 11:56:57 UTC 
Ticket 5074 fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/67b2b3408579814f7ff307cfd20bc4250edbea15
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/62e30d007275a3051370006a7546a5b3158f9686
Comment 10 Jan Cholasta 2015-07-15 11:57:49 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5074
Comment 12 Scott Poore 2015-08-04 13:02:57 UTC 
Marking this one back to assigned since it is blocked by bug #1248725.
Comment 13 Scott Poore 2015-08-04 13:37:27 UTC 
Moving back to ON_QA as bug #1248725 was resolved as a simple configuration issue and not a bug.
Comment 14 Jan Cholasta 2015-08-10 07:02:57 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5089
Comment 15 Jan Cholasta 2015-08-10 07:17:43 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5090
Comment 16 Jan Cholasta 2015-08-10 07:23:48 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/2596adb312700a6133a4405851af9aec62941cd9/
https://fedorahosted.org/freeipa/changeset/a4ade199aa594307cdd6bc43d1729cc42e92fd1e/
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/b4722beb78cafcb196c10392a48b22022a425e8e/
https://fedorahosted.org/freeipa/changeset/d80e90fa5c5ad41f5f29a02c11bca7c7da269938/
Comment 17 Jan Cholasta 2015-08-11 10:25:36 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5190
Comment 18 Jan Cholasta 2015-08-11 10:27:22 UTC 
Ticket 5190 fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6f8b0ed4fa8cb20a89915e74d805d4e7db90b6f9
https://fedorahosted.org/freeipa/changeset/aafc0e980be43c4956308a39d2ca45c7e50fa3ab
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/8cc61cc42c3e3422e79da69c7a2c3e594b5931ca
https://fedorahosted.org/freeipa/changeset/0e44568695e22752c250ead17eeb08e7a1561466
Comment 19 Jan Cholasta 2015-08-11 13:00:21 UTC 
Ticket 4752 fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/812ab600a33f0a334e757420783583f700ec07e7
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/2001e7b7b42e583e04e0cc18cecef328ef0c483d
Comment 20 Jan Cholasta 2015-08-11 13:35:37 UTC 
Ticket 4752 fixed upstream (additional fix)
master:
https://fedorahosted.org/freeipa/changeset/e92f25bd50b60ce3c5d2c09bea700001050651a3
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/190c7c08c87f6c57edde3cde4eaa1edeb9b7c8c4
Comment 21 Jan Cholasta 2015-08-11 13:39:44 UTC 
Unlinking ticket 2915, as it has been postponed upstream:

https://fedorahosted.org/freeipa/ticket/2915#comment:11
Comment 22 Jan Cholasta 2015-08-11 13:50:29 UTC 
Also unlinking ticket 5089, it has not been fixed upstream yet and it is not critical for this RFE.
Comment 26 Martin Bašti 2015-08-18 17:47:53 UTC 
Ticket 5198 fixed upstream
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/9ca156c85919108d0c13718384dc196075364398
master:
https://fedorahosted.org/freeipa/changeset/27988f1b836874d6b1df0659bc95390636caeb78
Comment 29 Scott Poore 2015-08-25 21:37:57 UTC 
Verified.

Version ::

ipa-server-4.2.0-5.el7.x86_64

Results ::

[root@master /]# ipa help certprofile
Manage Certificate Profiles

Certificate Profiles are used by Certificate Authority (CA) in the signing of
certificates to determine if a Certificate Signing Request (CSR) is acceptable,
and if so what features and extensions will be present on the certificate.

The Certificate Profile format is the property-list format understood by the
Dogtag or Red Hat Certificate System CA.

PROFILE ID SYNTAX:

A Profile ID is a string without spaces or punctuation starting with a letter
and followed by a sequence of letters, digits or underscore ("_").

EXAMPLES:

  Import a profile that will not store issued certificates:
    ipa certprofile-import ShortLivedUserCert \
      --file UserCert.profile --desc "User Certificates" \
      --store=false

  Delete a certificate profile:
    ipa certprofile-del ShortLivedUserCert

  Show information about a profile:
    ipa certprofile-show ShortLivedUserCert

  Save profile configuration to a file:
    ipa certprofile-show caIPAserviceCert --out caIPAserviceCert.cfg

  Search for profiles that do not store certificates:
    ipa certprofile-find --store=false

PROFILE CONFIGURATION FORMAT:

The profile configuration format is the raw property-list format
used by Dogtag Certificate System.  The XML format is not supported.

The following restrictions apply to profiles managed by FreeIPA:

- When importing a profile the "profileId" field, if present, must
  match the ID given on the command line.

- The "classId" field must be set to "caEnrollImpl"

- The "auth.instance_id" field must be set to "raCertAuth"

- The "certReqInputImpl" input class and "certOutputImpl" output
  class must be used.

Topic commands:
  certprofile-del     Delete a Certificate Profile.
  certprofile-find    Search for Certificate Profiles.
  certprofile-import  Import a Certificate Profile.
  certprofile-mod     Modify Certificate Profile configuration.
  certprofile-show    Display the properties of a Certificate Profile.

To get command help, use:
  ipa <command> --help

[root@master /]# ipa certprofile-show caIPAserviceCert --out=/tmp/caIPAserviceCert.out
----------------------------------------------------------------
Profile configuration stored in file '/tmp/caIPAserviceCert.out'
----------------------------------------------------------------
  Profile ID: caIPAserviceCert
  Profile description: Standard profile for network services
  Store issued certificates: TRUE

[root@master /]# cat /tmp/caIPAserviceCert.out
auth.instance_id=raCertAuth
classId=caEnrollImpl
desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
enable=true
enableBy=ipara
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
input.list=i1,i2
name=IPA-RA Agent-Authenticated Server Certificate Enrollment
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.accept=true
policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O=TESTRELM.TEST
policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
policyset.serverCertSet.10.constraint.name=No Constraint
policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
policyset.serverCertSet.10.default.params.critical=false
policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
policyset.serverCertSet.11.constraint.name=No Constraint
policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.11.default.name=User Supplied Extension Default
policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=731
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.serverCertSet.3.constraint.params.keyType=RSA
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.4.constraint.name=No Constraint
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.testrelm.test/ca/ocsp
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.serverCertSet.9.default.params.crlDistPointsNum=1
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.testrelm.test/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
profileId=caIPAserviceCert
visible=false

[root@master /]#  cp /tmp/caIPAserviceCert.out /tmp/newcertprofile.cfg

[root@master /]# vim /tmp/newcertprofile.cfg

[root@master /]# diff /tmp/caIPAserviceCert.out /tmp/newcertprofile.cfg
3c3
< desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
---
> desc=New Profile for Testing
9c9
< name=IPA-RA Agent-Authenticated Server Certificate Enrollment
---
> name=New IPA-RA based profile for test
88c88
< policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
---
> policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4
108d107
< profileId=caIPAserviceCert


[root@master /]# ipa certprofile-import new_cert_profile --file=/tmp/newcertprofile.cfg --store=True --desc="New Cert Profile"
-----------------------------------
Imported profile "new_cert_profile"
-----------------------------------
  Profile ID: new_cert_profile
  Profile description: New Cert Profile
  Store issued certificates: TRUE


[root@master /]# ipa user-add --first=testuser1 --last=lastname --email=testuser1 testuser1
----------------------
Added user "testuser1"
----------------------
  User login: testuser1
  First name: testuser1
  Last name: lastname
  Full name: testuser1 lastname
  Display name: testuser1 lastname
  Initials: tl
  Home directory: /home/testuser1
  GECOS: testuser1 lastname
  Login shell: /bin/sh
  Kerberos principal: testuser1
  Email address: testuser1
  UID: 744800005
  GID: 744800005
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
[root@master /]# echo redhat|ipa passwd testuser1
----------------------------------------------
Changed password for "testuser1"
----------------------------------------------
[root@master /]# echo -e 'redhat\nSecret123\nSecret123' | kinit testuser1
Password for testuser1: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@master /]# kdestroy -A
[root@master /]# echo Secret123|kinit admin
Password for admin: 
[root@master /]# cat > testuser1.cnf <<EOF
> [req]
> default_bits = 2048
> distinguished_name = req_distinguished_name
> req_extensions = v3_req
> prompt = no
> encrypt_key = no
> 
> [req_distinguished_name]
> commonName = testuser1
> 
> [ v3_req ]
> subjectAltName = email:testuser1
> EOF
[root@master /]# 
[root@master /]# openssl req -out testuser1.csr -new -newkey rsa:2048 -nodes -keyout testuser1.key -config testuser1.cnf
Generating a 2048 bit RSA private key
.......................+++
............................................................................+++
writing new private key to 'testuser1.key'
-----
[root@master /]# 
[root@master /]# ipa caacl-add --profilecat=all wide_open_acls --usercat=all --hostcat=all --servicecat=all
-----------------------------
Added CA ACL "wide_open_acls"
-----------------------------
  ACL name: wide_open_acls
  Enabled: TRUE
  Profile category: all
  User category: all
  Host category: all
  Service category: all
[root@master /]# ipa cert-request testuser1.csr --profile-id=new_cert_profile --principal=testuser1
  Certificate: MIIEKTCCAxGgAwIBAgIBFzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUwODI1MjEzNzEwWhcNMTcwODI1MjEzNzEwWjAsMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRIwEAYDVQQDDAl0ZXN0dXNlcjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+DzacMuWCHnC9nfLQnv1jMES6vivcNCMHB1CIxLt3YxAg6dkWPApVGP0l13ZE83JKpM3q84WP2u1VFIeOddfEy9w2J5nqgHQTfQzIu3B8SQu5uxEKGX9DlFxhgMfLBfminx3cNvkVP8d/G6uebwEV/awdKiCIXu/1Z8QdnurAG2FfrkzQ8IpMyl+/NMcojEDHe/yHFz1PABQyBOXYcsGk3Vq+xSt4ZYMAOqAv4qPrcbinFmLcb00LbA75j2Gxj5j2lw4Yg0Ofe+OZLGLc4mPwmTlcOtEglNPVkCOG8fMrxhhA1DmvT+iOoO5oOYACAihDP65ZMriDmTmcJbro/OiLAgMBAAGjggFIMIIBRDAfBgNVHSMEGDAWgBQ8nlVXMWjm1SJaTwhvKJjYsdJ9tzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDBDB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBRK+ltkEsyC12Iev1gZHnDPuUy/YDAiBgNVHREEGzAZgRd0ZXN0dXNlcjFAdGVzdHJlbG0udGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAXx4198vOlYdbXxcCF948fPF/94dQXy0wEJmoD2KOx50OeRsw6p7H9K/dBoSwuKyVg4wgt35S12ee7aSJF+MQOphMAmdvb7RMIh65UJ6mHvAfDIefkGkDk0vDNSaVgmGKiNdnJNtw2jhduMNQsnVj0IDLdKrvAm1V82sbPK+csYheTm34U/yd/6JmUK6OQKQapodFJoX4Q/4RDBIWZYkUdoq7kSOLVuElOtpQIe1d3LsznWI6fEdslbn+NYI41S304Rt+bc9JEX9xpt61Vrlse3zPhBRZbPgAPbi95fpQ/fObMQ08PwDvSzzZXGm7rCA7tr9O0Hq96Zhdfyiztkrf9w==
  Subject: CN=testuser1,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Tue Aug 25 21:37:10 2015 UTC
  Not After: Fri Aug 25 21:37:10 2017 UTC
  Fingerprint (MD5): 3c:f1:fb:d5:09:ee:f4:2f:c9:89:20:9e:44:84:66:86
  Fingerprint (SHA1): 0b:50:49:64:ef:ba:67:a7:9a:e2:bb:f9:54:0c:0f:10:3b:84:f6:52
  Serial number: 23
  Serial number (hex): 0x17
Comment 30 Martin Bašti 2015-10-27 09:06:17 UTC 
Upstream tests:
master:
https://fedorahosted.org/freeipa/changeset/30f0a034e18f8084fb9ac5de989f0c74870a2710
https://fedorahosted.org/freeipa/changeset/36f7074683a3dab10c22efaf7439d8b549516349
https://fedorahosted.org/freeipa/changeset/897c9c9c439b4736413480b53b17de3cad76db4a
https://fedorahosted.org/freeipa/changeset/8d64485b2ea2512ad7254c7e5bd2906aa6ba45ed
https://fedorahosted.org/freeipa/changeset/d2ff5e4639157a839fe7d3c36b462e2195c32f4a
https://fedorahosted.org/freeipa/changeset/5ab0fcabf3e6ac7970c1803893717301a4b4cfe8

ipa-4-2:
https://fedorahosted.org/freeipa/changeset/5aba3c71fabbf31bed5d4bc3b4a44be6de2d966d
https://fedorahosted.org/freeipa/changeset/438a29fa8f694500d3693b0050c80d04c2da3d53
https://fedorahosted.org/freeipa/changeset/127b1099a0a550ad323c154a06d15ef2daf290f6
https://fedorahosted.org/freeipa/changeset/b6193e8cbf1a8175a12c3f28de6fe2cbab68d9bf
https://fedorahosted.org/freeipa/changeset/f1414fe97e5bb2fa124193063be179cc6a7674db
https://fedorahosted.org/freeipa/changeset/21fed035beab7dbee59f1e0c29d203345f0d0c7f
Comment 33 errata-xmlrpc 2015-11-19 12:01:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html