Bug 1367868

A note as to why this is desired for 7.3:

Often when you have a sub-CA you want to anchor trust at that sub-CA,
e.g. so that VPN server will only consider certs issued by a particular
sub-CA created to issue VPN user certs.

Currently IPA lacks a simple way to get the certificate for a
sub-CA.  It can be done in a roundabout way i.e. by searching for
certificates with same subject name as the sub-CA but this is
awkward.

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c7ea56c049ec8ab1a5500852eca6faf750b1479f
https://fedorahosted.org/freeipa/changeset/cc5b88e5d4ac1171374be9ae8e6e60730243dd3d
https://fedorahosted.org/freeipa/changeset/32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ceb26f5ac428cdbed8ec1fa89e9ed6f1d903a5a0

version:
ipa-server-4.5.0-13.el7.x86_64

[root@hp-dl380pgen8-02-vm-10 ~]# ipa ca-show --help
Usage: ipa [global-options] ca-show NAME [options]

Display the properties of a CA.
Options:
  -h, --help            show this help message and exit
  --rights              Display the access rights of this entry (requires
                        --all). See ipa man page for details.
  --chain               Include certificate chain in output
  --all                 Retrieve and print all attributes from the server.
                        Affects command output.
  --raw                 Print entries as stored on the server. Only affects
                        output format.
  --certificate-out=FILE
                        Write certificate (chain if --chain used) to file

[root@hp-dl380pgen8-02-vm-10 ~]# ipa ca-show --certificate-out=/root/ca.crt
Name: ipa
  Name: ipa
  Description: IPA CA
  Authority ID: 5f44b057-2994-49ee-a701-3d0826854d96
  Subject DN: CN=Certificate Authority,O=TESTRELM.TEST
  Issuer DN: CN=Certificate Authority,O=TESTRELM.TEST
  Certificate: MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI5MTAzNDUzWhcNMzcwNTI5MTAzNDUzWjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3kKtrV5MchW/Be3OxjiS5A4l1b7YeuFi4LIQZE83EoQ9oDxLoox/w/WeRtmzY0EotMYbHliZIdLI26pM/5ZUlbFKu7P5lnpVx5QNqcuav4TO0m9yrguVdNuCRW1mLPOVM+WGgHbSMnL0YhzTw2jKmwQ9htK3nZRr89TU7SrVQh7HGbQkenuUSoDj7TcrEBoxZtimpZfCLJBqTtZRJJDXjN0TX5KUXwHwgBp267LMqvTuGCONtNKZKbGu1+5L8sGoBwr/joGO4OlY/jtv1Qes5JDNjWLmafiyV02cL3tiEHFH4X6h7x/BYk/xRDe/OhmMRSrBUFELfc9lVTarTzd8XAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAUGFljoBH1xWw0THDBGKW2j8pgNE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFBhZY6AR9cVsNExwwRilto/KYDROMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAESKNzupNpNeKUaxPR11gorcQchuOBrZ23WBmMlnIgKw8TUB4k1CoQU6UvQ+66EsesdlF2N7Y5imkjTu0+HBvPHqKhs/xLWQg41WvE4gBLIP55UxTe48pjdeY5ewDXiEEXqM0lFYEfNKsc9lMJdswbnixsu00hDF7NhSE6bhbNv4+eehgnJVaSDhHkUnheJG0cmrZRssqDcldsMn+tNUVsRRwX2y9cdaplGU9dQLWf/iwAF3J8vReigSr5xF0VM6Oo/q56djahIEP4ILYPUV1cINvmiH/x9FWFXb54G1C8scQ/ttno5pt9zPUsGJB4B8DPnulH3dEhzELijwQGit7bQ=

[root@hp-dl380pgen8-02-vm-10 ~]# ll
total 72
-rw-------. 1 root    root    20266 May 29 01:55 anaconda-ks.cfg
-rw-------. 1 root    root     2612 May 29 06:34 ca-agent.p12
-rw-r--r--. 1 pkiuser pkiuser 10368 May 29 06:34 cacert.p12
-rw-r--r--. 1 root    root     1316 May 29 06:41 ca.crt
-rwxr-xr-x. 1 root    root      887 May 29 06:33 ipa.sh
-rw-r--r--. 1 root    root        4 May 29 01:54 NETBOOT_METHOD.TXT

[root@hp-dl380pgen8-02-vm-10 ~]# cat ca.crt
-----BEGIN CERTIFICATE-----
MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNU
UkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcw
NTI5MTAzNDUzWhcNMzcwNTI5MTAzNDUzWjA4MRYwFAYDVQQKDA1URVNUUkVMTS5U
RVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC3kKtrV5MchW/Be3OxjiS5A4l1b7YeuFi4LIQZ
E83EoQ9oDxLoox/w/WeRtmzY0EotMYbHliZIdLI26pM/5ZUlbFKu7P5lnpVx5QNq
cuav4TO0m9yrguVdNuCRW1mLPOVM+WGgHbSMnL0YhzTw2jKmwQ9htK3nZRr89TU7
SrVQh7HGbQkenuUSoDj7TcrEBoxZtimpZfCLJBqTtZRJJDXjN0TX5KUXwHwgBp26
7LMqvTuGCONtNKZKbGu1+5L8sGoBwr/joGO4OlY/jtv1Qes5JDNjWLmafiyV02cL
3tiEHFH4X6h7x/BYk/xRDe/OhmMRSrBUFELfc9lVTarTzd8XAgMBAAGjgaUwgaIw
HwYDVR0jBBgwFoAUGFljoBH1xWw0THDBGKW2j8pgNE4wDwYDVR0TAQH/BAUwAwEB
/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFBhZY6AR9cVsNExwwRilto/KYDRO
MD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0
cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAESKNzupNpNeKUax
PR11gorcQchuOBrZ23WBmMlnIgKw8TUB4k1CoQU6UvQ+66EsesdlF2N7Y5imkjTu
0+HBvPHqKhs/xLWQg41WvE4gBLIP55UxTe48pjdeY5ewDXiEEXqM0lFYEfNKsc9l
MJdswbnixsu00hDF7NhSE6bhbNv4+eehgnJVaSDhHkUnheJG0cmrZRssqDcldsMn
+tNUVsRRwX2y9cdaplGU9dQLWf/iwAF3J8vReigSr5xF0VM6Oo/q56djahIEP4IL
YPUV1cINvmiH/x9FWFXb54G1C8scQ/ttno5pt9zPUsGJB4B8DPnulH3dEhzELijw
QGit7bQ=
-----END CERTIFICATE-----

[root@hp-dl380pgen8-02-vm-10 ~]# ipa ca-show --certificate-out=/root/ca.crt --chain
Name: ipa
  Name: ipa
  Description: IPA CA
  Authority ID: 5f44b057-2994-49ee-a701-3d0826854d96
  Subject DN: CN=Certificate Authority,O=TESTRELM.TEST
  Issuer DN: CN=Certificate Authority,O=TESTRELM.TEST
  Certificate: MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI5MTAzNDUzWhcNMzcwNTI5MTAzNDUzWjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3kKtrV5MchW/Be3OxjiS5A4l1b7YeuFi4LIQZE83EoQ9oDxLoox/w/WeRtmzY0EotMYbHliZIdLI26pM/5ZUlbFKu7P5lnpVx5QNqcuav4TO0m9yrguVdNuCRW1mLPOVM+WGgHbSMnL0YhzTw2jKmwQ9htK3nZRr89TU7SrVQh7HGbQkenuUSoDj7TcrEBoxZtimpZfCLJBqTtZRJJDXjN0TX5KUXwHwgBp267LMqvTuGCONtNKZKbGu1+5L8sGoBwr/joGO4OlY/jtv1Qes5JDNjWLmafiyV02cL3tiEHFH4X6h7x/BYk/xRDe/OhmMRSrBUFELfc9lVTarTzd8XAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAUGFljoBH1xWw0THDBGKW2j8pgNE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFBhZY6AR9cVsNExwwRilto/KYDROMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAESKNzupNpNeKUaxPR11gorcQchuOBrZ23WBmMlnIgKw8TUB4k1CoQU6UvQ+66EsesdlF2N7Y5imkjTu0+HBvPHqKhs/xLWQg41WvE4gBLIP55UxTe48pjdeY5ewDXiEEXqM0lFYEfNKsc9lMJdswbnixsu00hDF7NhSE6bhbNv4+eehgnJVaSDhHkUnheJG0cmrZRssqDcldsMn+tNUVsRRwX2y9cdaplGU9dQLWf/iwAF3J8vReigSr5xF0VM6Oo/q56djahIEP4ILYPUV1cINvmiH/x9FWFXb54G1C8scQ/ttno5pt9zPUsGJB4B8DPnulH3dEhzELijwQGit7bQ=
  Certificate chain: MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI5MTAzNDUzWhcNMzcwNTI5MTAzNDUzWjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3kKtrV5MchW/Be3OxjiS5A4l1b7YeuFi4LIQZE83EoQ9oDxLoox/w/WeRtmzY0EotMYbHliZIdLI26pM/5ZUlbFKu7P5lnpVx5QNqcuav4TO0m9yrguVdNuCRW1mLPOVM+WGgHbSMnL0YhzTw2jKmwQ9htK3nZRr89TU7SrVQh7HGbQkenuUSoDj7TcrEBoxZtimpZfCLJBqTtZRJJDXjN0TX5KUXwHwgBp267LMqvTuGCONtNKZKbGu1+5L8sGoBwr/joGO4OlY/jtv1Qes5JDNjWLmafiyV02cL3tiEHFH4X6h7x/BYk/xRDe/OhmMRSrBUFELfc9lVTarTzd8XAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAUGFljoBH1xWw0THDBGKW2j8pgNE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFBhZY6AR9cVsNExwwRilto/KYDROMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAESKNzupNpNeKUaxPR11gorcQchuOBrZ23WBmMlnIgKw8TUB4k1CoQU6UvQ+66EsesdlF2N7Y5imkjTu0+HBvPHqKhs/xLWQg41WvE4gBLIP55UxTe48pjdeY5ewDXiEEXqM0lFYEfNKsc9lMJdswbnixsu00hDF7NhSE6bhbNv4+eehgnJVaSDhHkUnheJG0cmrZRssqDcldsMn+tNUVsRRwX2y9cdaplGU9dQLWf/iwAF3J8vReigSr5xF0VM6Oo/q56djahIEP4ILYPUV1cINvmiH/x9FWFXb54G1C8scQ/ttno5pt9zPUsGJB4B8DPnulH3dEhzELijwQGit7bQ=
[root@hp-dl380pgen8-02-vm-10 ~]#

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304