Bug 1399190
Summary: | [RFE] Certificates issued by externally signed IdM CA should contain full trust chain | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Thorsten Scherf <tscherf> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Michal Reznik <mreznik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.4 | CC: | dkupka, enewland, gparente, ipa-maint, jcholast, mkosek, pvoborni, rcritten |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.5.0-1.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 09:44:33 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1420851 |
Description
Thorsten Scherf
2016-11-28 14:09:41 UTC
Workaround to roll-out the IPA CA certificate using a GPO (on Windows clients): https://technet.microsoft.com/de-de/library/cc770315(v=ws.10).aspx Currently proposed user story for this enhancements: As Administrator, I want a to get a certificate issued by IdM CA with it's full certificate chain, so that my (web) service can present the full chain to it's clients and be trusted even if clients are trusting a CA upper in the chain and not IdM CA directly. This should result on a new option for certificate-request and cert-show commands to return the certificate with it's full chain. Comments/validation welcome. (In reply to Martin Kosek from comment #3) > Currently proposed user story for this enhancements: > > As Administrator, I want a to get a certificate issued by IdM CA with it's > full certificate chain, so that my (web) service can present the full chain > to it's clients and be trusted even if clients are trusting a CA upper in > the chain and not IdM CA directly. > [...] > Comments/validation welcome. Sounds exactly right. Upstream ticket: https://fedorahosted.org/freeipa/ticket/6547 This looks also related: https://fedorahosted.org/freeipa/ticket/6178 Fixed upstream master: https://pagure.io/freeipa/c/c60d9c9744b1f8a7b55bcdda65cce8bb36700bf6 https://pagure.io/freeipa/c/8ed891cb619abd2efd428f767edf760ebf5eec5d Verified on: ipa-server-4.5.0-13.el7.x86_64 pki-server-10.4.1-4.el7.noarch selinux-policy-3.13.1-151.el7.noarch 1. Get CSR from ipa installer [root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 --external-ca -U <snip> [6/10]: creating a keytab for the machine [7/10]: adding the password extension to the directory [8/10]: creating anonymous principal [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes [1/8]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as: /usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate 2. Sign it with external CA [root@master ~]# openssl x509 -req -in ipa.csr -CA nssdb/ca1.pem -CAkey nssdb/ca1.key -CAcreateserial -extfile ext.cnf -out ipa.pem Signature ok subject=/O=TESTRELM.TEST/CN=Certificate Authority Getting CA Private Key 3. Complete the installation [root@master ~]# ipa-server-install --external-cert-file=/root/ipa.pem --external-cert-file=/root/ca1.pem <snip> [5/7]: adding DNSSEC containers [6/7]: creating replica keys [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: master.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: master.testrelm.test BaseDN: dc=testrelm,dc=test Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://master.testrelm.test/ipa/json Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json' trying https://master.testrelm.test/ipa/session/json Forwarding 'ping' to json server 'https://master.testrelm.test/ipa/session/json' Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/session/json' Systemwide CA database updated. Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Forwarding 'host_mod' to json server 'https://master.testrelm.test/ipa/session/json' SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring testrelm.test as NIS domain. Client configuration complete. The ipa-client-install command was successful ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificates stored in /root/cacert.p12 These files are required to create replicas. The password for these files is the Directory Manager password 4. Check if we have full CA chain. [root@master ~]# ipa cert-show --chain Serial number: 10 Issuing CA: ipa Certificate: MIIEnTCCA4WgAwIBAgIBCjANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI0MDk1MjEyWhcNMTcwNjIzMDk0NjM3WjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVtYXN0ZXIyLnRlc3RyZWxtLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvB9Fmg8PX1mHqcZseMmx431leVNwT6xRbQjDOEapz5/fA+LynDqBAGPEumc/+hbKONgg7o+gmKUx2Miqncx9ki4B3kkrbmvKTyiU73hM1iws477suP55/P30TG8WEEjoB81aq2alkyz9o9SvJWh4rxKjOMRf+7a+mpn9HVCdHPS84ngHFOcPuE5rpQmi5fJCpjTqYnbjvmQT4i8lc6GkWVgW1Wr1NhkbsskJp9OwzQMIIkKpUSYmI7wD762J7OiZrWE89go1uinAsujx2w8sdp5tAJsJDfFHgSee5rbNPhT3tkgc8ixbJxbvE4uD0scthiG8LLn5ZBZB0zRcbhFxDAgMBAAGjggGwMIIBrDAfBgNVHSMEGDAWgBS2Q3vKzeAdsETr9CLNZZiKLg8rqzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAcBgNVHSUEFTATBggrBgEFBQcDAQYHKwYBBQIDBTB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQx5IekMAzEgcmQKOWku1r1Z3sMTDCBgAYDVR0RBHkwd6AyBgorBgEEAYI3FAIDoCQMImtyYnRndC9URVNUUkVMTS5URVNUQFRFU1RSRUxNLlRFU1SgQQYGKwYBBQICoDcwNaAPGw1URVNUUkVMTS5URVNUoSIwIKADAgEBoRkwFxsGa3JidGd0Gw1URVNUUkVMTS5URVNUMA0GCSqGSIb3DQEBCwUAA4IBAQCPukrunWzSy2nqI7DBYU93zFEosVk9KqXcnO6sdH0+NI454/bOrMUAYLCXqMGff77QLicJdisHJyMgXx6JS/JfSlFIB9u9sidEQ8Fy5Q2geZoZ5/hXmCPRCKpuDKZ2tOATyK1A8Pt4a2k3KvKOfdQIwPXhScx5qvFI65U3f3VL9KQRtDG9oeDfkGyi7+VvgkbxKkalGKvPuhghgsY3ZJxz2j0Fv2pbeDMR1fFVAHf+lDOoumnf/HUbR0+51D9ZH+qN7BLQ7R97p8BIBVq4brkxCH0TBhgDJpNQEcwejdyEJ9W2u9i/NvyTZgja+OUz4KAnFytBi9+YkRg5JgqL+OP8 Certificate chain: MIIEnTCCA4WgAwIBAgIBCjANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI0MDk1MjEyWhcNMTcwNjIzMDk0NjM3WjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVtYXN0ZXIyLnRlc3RyZWxtLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvB9Fmg8PX1mHqcZseMmx431leVNwT6xRbQjDOEapz5/fA+LynDqBAGPEumc/+hbKONgg7o+gmKUx2Miqncx9ki4B3kkrbmvKTyiU73hM1iws477suP55/P30TG8WEEjoB81aq2alkyz9o9SvJWh4rxKjOMRf+7a+mpn9HVCdHPS84ngHFOcPuE5rpQmi5fJCpjTqYnbjvmQT4i8lc6GkWVgW1Wr1NhkbsskJp9OwzQMIIkKpUSYmI7wD762J7OiZrWE89go1uinAsujx2w8sdp5tAJsJDfFHgSee5rbNPhT3tkgc8ixbJxbvE4uD0scthiG8LLn5ZBZB0zRcbhFxDAgMBAAGjggGwMIIBrDAfBgNVHSMEGDAWgBS2Q3vKzeAdsETr9CLNZZiKLg8rqzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAcBgNVHSUEFTATBggrBgEFBQcDAQYHKwYBBQIDBTB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQx5IekMAzEgcmQKOWku1r1Z3sMTDCBgAYDVR0RBHkwd6AyBgorBgEEAYI3FAIDoCQMImtyYnRndC9URVNUUkVMTS5URVNUQFRFU1RSRUxNLlRFU1SgQQYGKwYBBQICoDcwNaAPGw1URVNUUkVMTS5URVNUoSIwIKADAgEBoRkwFxsGa3JidGd0Gw1URVNUUkVMTS5URVNUMA0GCSqGSIb3DQEBCwUAA4IBAQCPukrunWzSy2nqI7DBYU93zFEosVk9KqXcnO6sdH0+NI454/bOrMUAYLCXqMGff77QLicJdisHJyMgXx6JS/JfSlFIB9u9sidEQ8Fy5Q2geZoZ5/hXmCPRCKpuDKZ2tOATyK1A8Pt4a2k3KvKOfdQIwPXhScx5qvFI65U3f3VL9KQRtDG9oeDfkGyi7+VvgkbxKkalGKvPuhghgsY3ZJxz2j0Fv2pbeDMR1fFVAHf+lDOoumnf/HUbR0+51D9ZH+qN7BLQ7R97p8BIBVq4brkxCH0TBhgDJpNQEcwejdyEJ9W2u9i/NvyTZgja+OUz4KAnFytBi9+YkRg5JgqL+OP8, MIIC9zCCAd+gAwIBAgIJAOttvnOHqPYVMA0GCSqGSIb3DQEBCwUAMCwxHTAbBgNVBAoTFEV4YW1wbGUgT3JnYW5pemF0aW9uMQswCQYDVQQDEwJDQTAeFw0xNzA1MjQwOTQ2MzdaFw0xNzA2MjMwOTQ2MzdaMDgxFjAUBgNVBAoTDVRFU1RSRUxNLlRFU1QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQUn+LsMg3/TCEfH9R6HrgdqEpCt4ZO6xWQ1Yju9/r0qRoz9rNvBmR4dPcMSjvDjqRJg+0SvvC7ZDM5VVTnAClHB1VwVC6DHYdjNBFEPeeMUg553EKKHd38A3k4mKfMIIP1VxEMXAKLWbExNA2YreEqGUbGY4aFN13Iwk7ae2vgPkKyD2QliLqTQfhIg2YO1MazEnhYCxhteQyUjKorFTcECmG1MD3aaVO8rWBKRkT5J4J0SsTve03UkrxAccTHa+oASuMM5JDYORKEo5lemg3gROgjdAIWKGGiQN4gGKdEfHZ6ewTZU9PibdXV4DtbsiWZ3n2gFoFIPpQesyaUeckCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd1zNr9zPU8QRhz7D5U6ucnvK4HVhP47AhGIg7c9Apb+4jE/rQwCmKEpn2hwP/kVH0IWacqr3GoU+Xn2YxmsvN7AjT6OBJ8UZkVn/P/+DUZ5MH119b805QPnRNWYB1/9IhyLwMgUvFHZoWHTakw+D9noiyoRrkw0GB68M7qu6ARDhhi0c04M9QlRFj7Liyjkl2xVNAFiGJ84utDz498BYIpYhBxJBlGLo6LVS3j4LBzqxBKqQYezm4qDtHjjl1z+asxtiRz21cPwZP8+JHPzGeDgZqkukclETq6A46uEh2eT4wP5PNEIMQTO9n1dCQfRkQ06xFGdcgyWjGJ0FLn/GeQ==, MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAsMR0wGwYDVQQKExRFeGFtcGxlIE9yZ2FuaXphdGlvbjELMAkGA1UEAxMCQ0EwHhcNMTcwNTI0MDg0MjU0WhcNMjcwNTI0MDg0MjU0WjAsMR0wGwYDVQQKExRFeGFtcGxlIE9yZ2FuaXphdGlvbjELMAkGA1UEAxMCQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDj+HUUHB9CC0ut7rrapvsqKrMxNSOuN+0ooOzKfwSD7hJbvqPrNzgcmJBVEBy2IXu1ju4UzFEUSv/0M+B7+W60Tp2uWxYWQNpa3ngiAonvQrrUrvmrw2enYWWIWd2Ik9hkk7eRE/9L2qxBY8KNRIsSiwQYO9+X5TUd+vdEg/yeJcUjmFxTdqFU/djtjxAO4tEsFhDT7TggaUYh/cuCF7oeH2Q6kIGY4mGjIZY7fOiR75KWKayopOpVJRyNQ/eDR0aJva7jXgg0XAEgWJRMKnuonsWGQDnU1pey9sl/ZIB0sK7Z43ASUjpLXALEHWh17S2Iaukus5258M7QVPVZ9IWzAgMBAAGjTzBNMA4GA1UdDwEB/wQEAwIBxjAPBgNVHRMBAf8EBTADAQH/MCoGA1UdHwQjMCEwH6AdoBuGGWZpbGU6Ly8vdG1wL25zc2RiL2NhMS5jcmwwDQYJKoZIhvcNAQELBQADggEBABo1E/mFksbwVVuBuEawm5scswMQwieKyUpihxIU4ozghuG2cCvW/9rbqzlebU445YDQsCriJv+p3a0+Y8S4QRQc1FaPYB843rW9b0Q97cc+iL3V/opEfr0yjZX2hEwvRSzXm94zHW/oQ9J/7+V/mLogV0j4TkFuBMsXw9AQiQ2Ie4K5oY42dtYVlgdJ9JU5ptwv/FWPFbEuzu7ARLeK35GVpljmNKj1Ef1gE4WYo6C1D3CC/ybDZnYJI6E4eiUktQ496FU4f4J0fA+HUwCgD04ylo2keEj4n0d1bT8pmRFWhM3PRAO8q6JLoUaZf3xCcodSQ6k0J/yVt0BhQeiFiZ8= Subject: CN=master.testrelm.test,O=TESTRELM.TEST Subject UPN: krbtgt/TESTRELM.TEST Subject Kerberos principal name: krbtgt/TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Wed May 24 09:52:12 2017 UTC Not After: Fri Jun 23 09:46:37 2017 UTC Serial number: 10 Serial number (hex): 0xA Revoked: False 5. Check if we have full CA chain in new service certificate. [root@master ~]# openssl genrsa -out tester.key 2048 Generating RSA private key, 2048 bit long modulus ...................................................+++ ..........................+++ e is 65537 (0x10001) [root@master ~]# openssl req -new -sha256 -key tester.key -out tester.csr <snip> Common Name (eg, your name or your server's hostname) []:tester.testrelm.test <snip> [root@master ~]# ipa host-add tester.testrelm.test --force --------------------------------- Added host "tester.testrelm.test" --------------------------------- Host name: tester.testrelm.test Principal name: host/tester.testrelm.test Principal alias: host/tester.testrelm.test Password: False Keytab: False Managed by: tester.testrelm.test [root@master ~]# ipa cert-request --add --principal=HTTP/tester.testrelm.test tester.csr Issuing CA: ipa Certificate: MIIEGjCCAwKgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI0MTAzNTQyWhcNMTcwNjIzMDk0NjM3WjA3MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR0wGwYDVQQDDBR0ZXN0ZXIudGVzdHJlbG0udGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqIhFF9ny0iczfD8UeZEE8IKxqi1l6l0oLes4WmA/Qofd893dk2kWbdc92t7+W2t9IKSTqXfnqwuoJp8JQN/wyEkYBD+JaLfq8THUs8F36/AqnTsAUDDaVvPdfCe8Kc+Npivr655h7h95lyQ/EbI58gj1u1IV9AYzu9+i1hwvkcSyjbrREqWH7D9UZZKwiVb0vVwkpUirr5LkKUuzQl2oNHTfUrJboggn2yHhBBm9GHHh1VuIVHscWk/W0sKEhK4KzsS7BV789ZUu/IKi8Vv48/LHMZUdHoj+WnSev9nVPEryepXqHvTopQOtVZNHhhYjqBZp8vyDn9+QlSGP5tWpECAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFLZDe8rN4B2wROv0Is1lmIouDyurMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQm5VMR5Rz5nazYJORSiKUehjAyXjANBgkqhkiG9w0BAQsFAAOCAQEARIFqKfwQQnb1+E7aUcG4DhFm0M4q0k4HY+nBa74JLzGxrlISDaXt9ddsHvkt237f+dF3+azQMJ+VL734N/1AMzNbihqegfVDmTOO3SuS1u97TfyNTOL/mD+ZHcmyWoUdI4f2AH7v1eyxV9IWPqFsuKXcqnqPMgM90DPBC27vMyT7lHHwezdChGAUny5/bXSBcNCV0NN+RJpbI7v4UKUuyF/oOw2RTozyCG+1WjPlitnxoPB5piGdcMigRMGaRVui4eSmz2ocO8TaO2QysXjx6QZH7yam+sZ4RA/h4jfRsSReO7qg7JabemYjbCaK6kkdx/AmOM79AcgCUHlV2htzqA== Subject: CN=tester.testrelm.test,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Wed May 24 10:35:42 2017 UTC Not After: Fri Jun 23 09:46:37 2017 UTC Serial number: 11 Serial number (hex): 0xB [root@master ~]# ipa cert-show --all Serial number: 11 Issuing CA: ipa Certificate: MIIEGjCCAwKgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI0MTAzNTQyWhcNMTcwNjIzMDk0NjM3WjA3MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR0wGwYDVQQDDBR0ZXN0ZXIudGVzdHJlbG0udGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqIhFF9ny0iczfD8UeZEE8IKxqi1l6l0oLes4WmA/Qofd893dk2kWbdc92t7+W2t9IKSTqXfnqwuoJp8JQN/wyEkYBD+JaLfq8THUs8F36/AqnTsAUDDaVvPdfCe8Kc+Npivr655h7h95lyQ/EbI58gj1u1IV9AYzu9+i1hwvkcSyjbrREqWH7D9UZZKwiVb0vVwkpUirr5LkKUuzQl2oNHTfUrJboggn2yHhBBm9GHHh1VuIVHscWk/W0sKEhK4KzsS7BV789ZUu/IKi8Vv48/LHMZUdHoj+WnSev9nVPEryepXqHvTopQOtVZNHhhYjqBZp8vyDn9+QlSGP5tWpECAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFLZDe8rN4B2wROv0Is1lmIouDyurMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQm5VMR5Rz5nazYJORSiKUehjAyXjANBgkqhkiG9w0BAQsFAAOCAQEARIFqKfwQQnb1+E7aUcG4DhFm0M4q0k4HY+nBa74JLzGxrlISDaXt9ddsHvkt237f+dF3+azQMJ+VL734N/1AMzNbihqegfVDmTOO3SuS1u97TfyNTOL/mD+ZHcmyWoUdI4f2AH7v1eyxV9IWPqFsuKXcqnqPMgM90DPBC27vMyT7lHHwezdChGAUny5/bXSBcNCV0NN+RJpbI7v4UKUuyF/oOw2RTozyCG+1WjPlitnxoPB5piGdcMigRMGaRVui4eSmz2ocO8TaO2QysXjx6QZH7yam+sZ4RA/h4jfRsSReO7qg7JabemYjbCaK6kkdx/AmOM79AcgCUHlV2htzqA== Certificate chain: MIIEGjCCAwKgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI0MTAzNTQyWhcNMTcwNjIzMDk0NjM3WjA3MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR0wGwYDVQQDDBR0ZXN0ZXIudGVzdHJlbG0udGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqIhFF9ny0iczfD8UeZEE8IKxqi1l6l0oLes4WmA/Qofd893dk2kWbdc92t7+W2t9IKSTqXfnqwuoJp8JQN/wyEkYBD+JaLfq8THUs8F36/AqnTsAUDDaVvPdfCe8Kc+Npivr655h7h95lyQ/EbI58gj1u1IV9AYzu9+i1hwvkcSyjbrREqWH7D9UZZKwiVb0vVwkpUirr5LkKUuzQl2oNHTfUrJboggn2yHhBBm9GHHh1VuIVHscWk/W0sKEhK4KzsS7BV789ZUu/IKi8Vv48/LHMZUdHoj+WnSev9nVPEryepXqHvTopQOtVZNHhhYjqBZp8vyDn9+QlSGP5tWpECAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFLZDe8rN4B2wROv0Is1lmIouDyurMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQm5VMR5Rz5nazYJORSiKUehjAyXjANBgkqhkiG9w0BAQsFAAOCAQEARIFqKfwQQnb1+E7aUcG4DhFm0M4q0k4HY+nBa74JLzGxrlISDaXt9ddsHvkt237f+dF3+azQMJ+VL734N/1AMzNbihqegfVDmTOO3SuS1u97TfyNTOL/mD+ZHcmyWoUdI4f2AH7v1eyxV9IWPqFsuKXcqnqPMgM90DPBC27vMyT7lHHwezdChGAUny5/bXSBcNCV0NN+RJpbI7v4UKUuyF/oOw2RTozyCG+1WjPlitnxoPB5piGdcMigRMGaRVui4eSmz2ocO8TaO2QysXjx6QZH7yam+sZ4RA/h4jfRsSReO7qg7JabemYjbCaK6kkdx/AmOM79AcgCUHlV2htzqA==, MIIC9zCCAd+gAwIBAgIJAOttvnOHqPYVMA0GCSqGSIb3DQEBCwUAMCwxHTAbBgNVBAoTFEV4YW1wbGUgT3JnYW5pemF0aW9uMQswCQYDVQQDEwJDQTAeFw0xNzA1MjQwOTQ2MzdaFw0xNzA2MjMwOTQ2MzdaMDgxFjAUBgNVBAoTDVRFU1RSRUxNLlRFU1QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQUn+LsMg3/TCEfH9R6HrgdqEpCt4ZO6xWQ1Yju9/r0qRoz9rNvBmR4dPcMSjvDjqRJg+0SvvC7ZDM5VVTnAClHB1VwVC6DHYdjNBFEPeeMUg553EKKHd38A3k4mKfMIIP1VxEMXAKLWbExNA2YreEqGUbGY4aFN13Iwk7ae2vgPkKyD2QliLqTQfhIg2YO1MazEnhYCxhteQyUjKorFTcECmG1MD3aaVO8rWBKRkT5J4J0SsTve03UkrxAccTHa+oASuMM5JDYORKEo5lemg3gROgjdAIWKGGiQN4gGKdEfHZ6ewTZU9PibdXV4DtbsiWZ3n2gFoFIPpQesyaUeckCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd1zNr9zPU8QRhz7D5U6ucnvK4HVhP47AhGIg7c9Apb+4jE/rQwCmKEpn2hwP/kVH0IWacqr3GoU+Xn2YxmsvN7AjT6OBJ8UZkVn/P/+DUZ5MH119b805QPnRNWYB1/9IhyLwMgUvFHZoWHTakw+D9noiyoRrkw0GB68M7qu6ARDhhi0c04M9QlRFj7Liyjkl2xVNAFiGJ84utDz498BYIpYhBxJBlGLo6LVS3j4LBzqxBKqQYezm4qDtHjjl1z+asxtiRz21cPwZP8+JHPzGeDgZqkukclETq6A46uEh2eT4wP5PNEIMQTO9n1dCQfRkQ06xFGdcgyWjGJ0FLn/GeQ==, MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAsMR0wGwYDVQQKExRFeGFtcGxlIE9yZ2FuaXphdGlvbjELMAkGA1UEAxMCQ0EwHhcNMTcwNTI0MDg0MjU0WhcNMjcwNTI0MDg0MjU0WjAsMR0wGwYDVQQKExRFeGFtcGxlIE9yZ2FuaXphdGlvbjELMAkGA1UEAxMCQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDj+HUUHB9CC0ut7rrapvsqKrMxNSOuN+0ooOzKfwSD7hJbvqPrNzgcmJBVEBy2IXu1ju4UzFEUSv/0M+B7+W60Tp2uWxYWQNpa3ngiAonvQrrUrvmrw2enYWWIWd2Ik9hkk7eRE/9L2qxBY8KNRIsSiwQYO9+X5TUd+vdEg/yeJcUjmFxTdqFU/djtjxAO4tEsFhDT7TggaUYh/cuCF7oeH2Q6kIGY4mGjIZY7fOiR75KWKayopOpVJRyNQ/eDR0aJva7jXgg0XAEgWJRMKnuonsWGQDnU1pey9sl/ZIB0sK7Z43ASUjpLXALEHWh17S2Iaukus5258M7QVPVZ9IWzAgMBAAGjTzBNMA4GA1UdDwEB/wQEAwIBxjAPBgNVHRMBAf8EBTADAQH/MCoGA1UdHwQjMCEwH6AdoBuGGWZpbGU6Ly8vdG1wL25zc2RiL2NhMS5jcmwwDQYJKoZIhvcNAQELBQADggEBABo1E/mFksbwVVuBuEawm5scswMQwieKyUpihxIU4ozghuG2cCvW/9rbqzlebU445YDQsCriJv+p3a0+Y8S4QRQc1FaPYB843rW9b0Q97cc+iL3V/opEfr0yjZX2hEwvRSzXm94zHW/oQ9J/7+V/mLogV0j4TkFuBMsXw9AQiQ2Ie4K5oY42dtYVlgdJ9JU5ptwv/FWPFbEuzu7ARLeK35GVpljmNKj1Ef1gE4WYo6C1D3CC/ybDZnYJI6E4eiUktQ496FU4f4J0fA+HUwCgD04ylo2keEj4n0d1bT8pmRFWhM3PRAO8q6JLoUaZf3xCcodSQ6k0J/yVt0BhQeiFiZ8= Subject: CN=tester.testrelm.test,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Wed May 24 10:35:42 2017 UTC Not After: Fri Jun 23 09:46:37 2017 UTC Fingerprint (SHA1): 2c:4e:cf:fd:03:a0:44:09:e7:3d:f9:31:03:c0:ef:55:c5:e8:93:fd Fingerprint (SHA256): 4d:57:1c:2d:ce:cc:cd:a4:aa:5e:da:c6:2e:0b:59:6b:62:f1:31:3b:e3:a3:a1:86:d2:99:ff:f8:d5:0c:d7:8d Serial number: 11 Serial number (hex): 0xB Revoked: False Owner service: HTTP/tester.testrelm.test Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here: https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |