*certmonger* no longer fails to request certificates from IdM sub-CAs
The *certmonger* service previously used incorrect API calls to request certificates from IdM sub-Certificate Authorities (sub-CAs). As a consequence, the sub-CA setting was ignored and the certificate was always issued by the IdM root CA. This update fixes the bug, and *certmonger* now requests certificates from IdM sub-CAs as expected.
DescriptionAbhijeet Kasurde
2016-08-17 08:45:31 UTC
Description of problem:
When ipa-getcert request is triggered with Sub CA using -X argument, then command fails to issue certificate with Sub-CA as issuer.
See console.log for steps involved.
Version-Release number of selected component (if applicable):
ipa-server-4.4.0-7.el7.x86_64
How reproducible:
100%
Steps to Reproduce:
1. ipa ca-add
2. ipa-getcert request -k /samplereq1.key -f /samplereq1.crt -X SampleCA1
3. View issued certificate for issuer name
4. View ipa-getcert list -i <request_id> for issuer name
Actual results:
Issuer Name in certificate issued is set to default IPA CA instead of Sub CA
Expected results:
Issuer Name in certificate issued should be set to Sub CA
Additional info:
As per IRC chat with jcholast, https://git.fedorahosted.org/cgit/certmonger.git/tree/src/ipa.c#n384 - here it should say "cacn" instead of "ca"
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHEA-2016-2519.html