Bug 1367868
Summary: | Add options to retrieve lightweight CA certificate/chain | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Mohammad Rizwan <myusuf> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.3 | CC: | akasurde, ftweedal, jcholast, mbasti, myusuf, pvoborni, rcritten |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.5.0-1.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 09:39:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Petr Vobornik
2016-08-17 16:45:04 UTC
A note as to why this is desired for 7.3: Often when you have a sub-CA you want to anchor trust at that sub-CA, e.g. so that VPN server will only consider certs issued by a particular sub-CA created to issue VPN user certs. Currently IPA lacks a simple way to get the certificate for a sub-CA. It can be done in a roundabout way i.e. by searching for certificates with same subject name as the sub-CA but this is awkward. Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c7ea56c049ec8ab1a5500852eca6faf750b1479f https://fedorahosted.org/freeipa/changeset/cc5b88e5d4ac1171374be9ae8e6e60730243dd3d https://fedorahosted.org/freeipa/changeset/32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ceb26f5ac428cdbed8ec1fa89e9ed6f1d903a5a0 version: ipa-server-4.5.0-13.el7.x86_64 [root@hp-dl380pgen8-02-vm-10 ~]# ipa ca-show --help Usage: ipa [global-options] ca-show NAME [options] Display the properties of a CA. Options: -h, --help show this help message and exit --rights Display the access rights of this entry (requires --all). See ipa man page for details. --chain Include certificate chain in output --all Retrieve and print all attributes from the server. Affects command output. --raw Print entries as stored on the server. Only affects output format. --certificate-out=FILE Write certificate (chain if --chain used) to file [root@hp-dl380pgen8-02-vm-10 ~]# ipa ca-show --certificate-out=/root/ca.crt Name: ipa Name: ipa Description: IPA CA Authority ID: 5f44b057-2994-49ee-a701-3d0826854d96 Subject DN: CN=Certificate Authority,O=TESTRELM.TEST Issuer DN: CN=Certificate Authority,O=TESTRELM.TEST Certificate: MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI5MTAzNDUzWhcNMzcwNTI5MTAzNDUzWjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3kKtrV5MchW/Be3OxjiS5A4l1b7YeuFi4LIQZE83EoQ9oDxLoox/w/WeRtmzY0EotMYbHliZIdLI26pM/5ZUlbFKu7P5lnpVx5QNqcuav4TO0m9yrguVdNuCRW1mLPOVM+WGgHbSMnL0YhzTw2jKmwQ9htK3nZRr89TU7SrVQh7HGbQkenuUSoDj7TcrEBoxZtimpZfCLJBqTtZRJJDXjN0TX5KUXwHwgBp267LMqvTuGCONtNKZKbGu1+5L8sGoBwr/joGO4OlY/jtv1Qes5JDNjWLmafiyV02cL3tiEHFH4X6h7x/BYk/xRDe/OhmMRSrBUFELfc9lVTarTzd8XAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAUGFljoBH1xWw0THDBGKW2j8pgNE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFBhZY6AR9cVsNExwwRilto/KYDROMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAESKNzupNpNeKUaxPR11gorcQchuOBrZ23WBmMlnIgKw8TUB4k1CoQU6UvQ+66EsesdlF2N7Y5imkjTu0+HBvPHqKhs/xLWQg41WvE4gBLIP55UxTe48pjdeY5ewDXiEEXqM0lFYEfNKsc9lMJdswbnixsu00hDF7NhSE6bhbNv4+eehgnJVaSDhHkUnheJG0cmrZRssqDcldsMn+tNUVsRRwX2y9cdaplGU9dQLWf/iwAF3J8vReigSr5xF0VM6Oo/q56djahIEP4ILYPUV1cINvmiH/x9FWFXb54G1C8scQ/ttno5pt9zPUsGJB4B8DPnulH3dEhzELijwQGit7bQ= [root@hp-dl380pgen8-02-vm-10 ~]# ll total 72 -rw-------. 1 root root 20266 May 29 01:55 anaconda-ks.cfg -rw-------. 1 root root 2612 May 29 06:34 ca-agent.p12 -rw-r--r--. 1 pkiuser pkiuser 10368 May 29 06:34 cacert.p12 -rw-r--r--. 1 root root 1316 May 29 06:41 ca.crt -rwxr-xr-x. 1 root root 887 May 29 06:33 ipa.sh -rw-r--r--. 1 root root 4 May 29 01:54 NETBOOT_METHOD.TXT [root@hp-dl380pgen8-02-vm-10 ~]# cat ca.crt -----BEGIN CERTIFICATE----- MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNU UkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcw NTI5MTAzNDUzWhcNMzcwNTI5MTAzNDUzWjA4MRYwFAYDVQQKDA1URVNUUkVMTS5U RVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC3kKtrV5MchW/Be3OxjiS5A4l1b7YeuFi4LIQZ E83EoQ9oDxLoox/w/WeRtmzY0EotMYbHliZIdLI26pM/5ZUlbFKu7P5lnpVx5QNq cuav4TO0m9yrguVdNuCRW1mLPOVM+WGgHbSMnL0YhzTw2jKmwQ9htK3nZRr89TU7 SrVQh7HGbQkenuUSoDj7TcrEBoxZtimpZfCLJBqTtZRJJDXjN0TX5KUXwHwgBp26 7LMqvTuGCONtNKZKbGu1+5L8sGoBwr/joGO4OlY/jtv1Qes5JDNjWLmafiyV02cL 3tiEHFH4X6h7x/BYk/xRDe/OhmMRSrBUFELfc9lVTarTzd8XAgMBAAGjgaUwgaIw HwYDVR0jBBgwFoAUGFljoBH1xWw0THDBGKW2j8pgNE4wDwYDVR0TAQH/BAUwAwEB /zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFBhZY6AR9cVsNExwwRilto/KYDRO MD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0 cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAESKNzupNpNeKUax PR11gorcQchuOBrZ23WBmMlnIgKw8TUB4k1CoQU6UvQ+66EsesdlF2N7Y5imkjTu 0+HBvPHqKhs/xLWQg41WvE4gBLIP55UxTe48pjdeY5ewDXiEEXqM0lFYEfNKsc9l MJdswbnixsu00hDF7NhSE6bhbNv4+eehgnJVaSDhHkUnheJG0cmrZRssqDcldsMn +tNUVsRRwX2y9cdaplGU9dQLWf/iwAF3J8vReigSr5xF0VM6Oo/q56djahIEP4IL YPUV1cINvmiH/x9FWFXb54G1C8scQ/ttno5pt9zPUsGJB4B8DPnulH3dEhzELijw QGit7bQ= -----END CERTIFICATE----- [root@hp-dl380pgen8-02-vm-10 ~]# ipa ca-show --certificate-out=/root/ca.crt --chain Name: ipa Name: ipa Description: IPA CA Authority ID: 5f44b057-2994-49ee-a701-3d0826854d96 Subject DN: CN=Certificate Authority,O=TESTRELM.TEST Issuer DN: CN=Certificate Authority,O=TESTRELM.TEST Certificate: MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI5MTAzNDUzWhcNMzcwNTI5MTAzNDUzWjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3kKtrV5MchW/Be3OxjiS5A4l1b7YeuFi4LIQZE83EoQ9oDxLoox/w/WeRtmzY0EotMYbHliZIdLI26pM/5ZUlbFKu7P5lnpVx5QNqcuav4TO0m9yrguVdNuCRW1mLPOVM+WGgHbSMnL0YhzTw2jKmwQ9htK3nZRr89TU7SrVQh7HGbQkenuUSoDj7TcrEBoxZtimpZfCLJBqTtZRJJDXjN0TX5KUXwHwgBp267LMqvTuGCONtNKZKbGu1+5L8sGoBwr/joGO4OlY/jtv1Qes5JDNjWLmafiyV02cL3tiEHFH4X6h7x/BYk/xRDe/OhmMRSrBUFELfc9lVTarTzd8XAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAUGFljoBH1xWw0THDBGKW2j8pgNE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFBhZY6AR9cVsNExwwRilto/KYDROMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAESKNzupNpNeKUaxPR11gorcQchuOBrZ23WBmMlnIgKw8TUB4k1CoQU6UvQ+66EsesdlF2N7Y5imkjTu0+HBvPHqKhs/xLWQg41WvE4gBLIP55UxTe48pjdeY5ewDXiEEXqM0lFYEfNKsc9lMJdswbnixsu00hDF7NhSE6bhbNv4+eehgnJVaSDhHkUnheJG0cmrZRssqDcldsMn+tNUVsRRwX2y9cdaplGU9dQLWf/iwAF3J8vReigSr5xF0VM6Oo/q56djahIEP4ILYPUV1cINvmiH/x9FWFXb54G1C8scQ/ttno5pt9zPUsGJB4B8DPnulH3dEhzELijwQGit7bQ= Certificate chain: MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI5MTAzNDUzWhcNMzcwNTI5MTAzNDUzWjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3kKtrV5MchW/Be3OxjiS5A4l1b7YeuFi4LIQZE83EoQ9oDxLoox/w/WeRtmzY0EotMYbHliZIdLI26pM/5ZUlbFKu7P5lnpVx5QNqcuav4TO0m9yrguVdNuCRW1mLPOVM+WGgHbSMnL0YhzTw2jKmwQ9htK3nZRr89TU7SrVQh7HGbQkenuUSoDj7TcrEBoxZtimpZfCLJBqTtZRJJDXjN0TX5KUXwHwgBp267LMqvTuGCONtNKZKbGu1+5L8sGoBwr/joGO4OlY/jtv1Qes5JDNjWLmafiyV02cL3tiEHFH4X6h7x/BYk/xRDe/OhmMRSrBUFELfc9lVTarTzd8XAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAUGFljoBH1xWw0THDBGKW2j8pgNE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFBhZY6AR9cVsNExwwRilto/KYDROMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAESKNzupNpNeKUaxPR11gorcQchuOBrZ23WBmMlnIgKw8TUB4k1CoQU6UvQ+66EsesdlF2N7Y5imkjTu0+HBvPHqKhs/xLWQg41WvE4gBLIP55UxTe48pjdeY5ewDXiEEXqM0lFYEfNKsc9lMJdswbnixsu00hDF7NhSE6bhbNv4+eehgnJVaSDhHkUnheJG0cmrZRssqDcldsMn+tNUVsRRwX2y9cdaplGU9dQLWf/iwAF3J8vReigSr5xF0VM6Oo/q56djahIEP4ILYPUV1cINvmiH/x9FWFXb54G1C8scQ/ttno5pt9zPUsGJB4B8DPnulH3dEhzELijwQGit7bQ= [root@hp-dl380pgen8-02-vm-10 ~]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |