Bug 1399190

Workaround to roll-out the IPA CA certificate using a GPO (on Windows clients):

https://technet.microsoft.com/de-de/library/cc770315(v=ws.10).aspx

Currently proposed user story for this enhancements:

As Administrator, I want a to get a certificate issued by IdM CA with it's full certificate chain, so that my (web) service can present the full chain to it's clients and be trusted even if clients are trusting a CA upper in the chain and not IdM CA directly.

This should result on a new option for certificate-request and cert-show commands to return the certificate with it's full chain.

Comments/validation welcome.

(In reply to Martin Kosek from comment #3)
> Currently proposed user story for this enhancements:
> 
> As Administrator, I want a to get a certificate issued by IdM CA with it's
> full certificate chain, so that my (web) service can present the full chain
> to it's clients and be trusted even if clients are trusting a CA upper in
> the chain and not IdM CA directly.
> 
[...]
> Comments/validation welcome.

Sounds exactly right.

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6547

This looks also related:
https://fedorahosted.org/freeipa/ticket/6178

Fixed upstream
master:
https://pagure.io/freeipa/c/c60d9c9744b1f8a7b55bcdda65cce8bb36700bf6
https://pagure.io/freeipa/c/8ed891cb619abd2efd428f767edf760ebf5eec5d

Verified on:

ipa-server-4.5.0-13.el7.x86_64
pki-server-10.4.1-4.el7.noarch
selinux-policy-3.13.1-151.el7.noarch

1. Get CSR from ipa installer

[root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 --external-ca -U
<snip>
  [6/10]: creating a keytab for the machine
  [7/10]: adding the password extension to the directory
  [8/10]: creating anonymous principal
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/8]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as:
/usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate


2. Sign it with external CA

[root@master ~]# openssl x509 -req -in ipa.csr -CA nssdb/ca1.pem -CAkey nssdb/ca1.key -CAcreateserial -extfile ext.cnf -out ipa.pem
Signature ok
subject=/O=TESTRELM.TEST/CN=Certificate Authority
Getting CA Private Key


3. Complete the installation

[root@master ~]# ipa-server-install --external-cert-file=/root/ipa.pem --external-cert-file=/root/ca1.pem
<snip>
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: master.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: master.testrelm.test
BaseDN: dc=testrelm,dc=test

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://master.testrelm.test/ipa/json
Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json'
trying https://master.testrelm.test/ipa/session/json
Forwarding 'ping' to json server 'https://master.testrelm.test/ipa/session/json'
Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://master.testrelm.test/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring testrelm.test as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
 1. You must make sure these network ports are open:
  TCP Ports:
    * 80, 443: HTTP/HTTPS
    * 389, 636: LDAP/LDAPS
    * 88, 464: kerberos
    * 53: bind
  UDP Ports:
    * 88, 464: kerberos
    * 53: bind
    * 123: ntp

 2. You can now obtain a kerberos ticket using the command: 'kinit admin'
    This ticket will allow you to use the IPA tools (e.g., ipa user-add)
    and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password


4. Check if we have full CA chain.

[root@master ~]# ipa cert-show --chain
Serial number: 10
  Issuing CA: ipa
  Certificate: MIIEnTCCA4WgAwIBAgIBCjANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI0MDk1MjEyWhcNMTcwNjIzMDk0NjM3WjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVtYXN0ZXIyLnRlc3RyZWxtLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvB9Fmg8PX1mHqcZseMmx431leVNwT6xRbQjDOEapz5/fA+LynDqBAGPEumc/+hbKONgg7o+gmKUx2Miqncx9ki4B3kkrbmvKTyiU73hM1iws477suP55/P30TG8WEEjoB81aq2alkyz9o9SvJWh4rxKjOMRf+7a+mpn9HVCdHPS84ngHFOcPuE5rpQmi5fJCpjTqYnbjvmQT4i8lc6GkWVgW1Wr1NhkbsskJp9OwzQMIIkKpUSYmI7wD762J7OiZrWE89go1uinAsujx2w8sdp5tAJsJDfFHgSee5rbNPhT3tkgc8ixbJxbvE4uD0scthiG8LLn5ZBZB0zRcbhFxDAgMBAAGjggGwMIIBrDAfBgNVHSMEGDAWgBS2Q3vKzeAdsETr9CLNZZiKLg8rqzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAcBgNVHSUEFTATBggrBgEFBQcDAQYHKwYBBQIDBTB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQx5IekMAzEgcmQKOWku1r1Z3sMTDCBgAYDVR0RBHkwd6AyBgorBgEEAYI3FAIDoCQMImtyYnRndC9URVNUUkVMTS5URVNUQFRFU1RSRUxNLlRFU1SgQQYGKwYBBQICoDcwNaAPGw1URVNUUkVMTS5URVNUoSIwIKADAgEBoRkwFxsGa3JidGd0Gw1URVNUUkVMTS5URVNUMA0GCSqGSIb3DQEBCwUAA4IBAQCPukrunWzSy2nqI7DBYU93zFEosVk9KqXcnO6sdH0+NI454/bOrMUAYLCXqMGff77QLicJdisHJyMgXx6JS/JfSlFIB9u9sidEQ8Fy5Q2geZoZ5/hXmCPRCKpuDKZ2tOATyK1A8Pt4a2k3KvKOfdQIwPXhScx5qvFI65U3f3VL9KQRtDG9oeDfkGyi7+VvgkbxKkalGKvPuhghgsY3ZJxz2j0Fv2pbeDMR1fFVAHf+lDOoumnf/HUbR0+51D9ZH+qN7BLQ7R97p8BIBVq4brkxCH0TBhgDJpNQEcwejdyEJ9W2u9i/NvyTZgja+OUz4KAnFytBi9+YkRg5JgqL+OP8
  Certificate chain: MIIEnTCCA4WgAwIBAgIBCjANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI0MDk1MjEyWhcNMTcwNjIzMDk0NjM3WjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVtYXN0ZXIyLnRlc3RyZWxtLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvB9Fmg8PX1mHqcZseMmx431leVNwT6xRbQjDOEapz5/fA+LynDqBAGPEumc/+hbKONgg7o+gmKUx2Miqncx9ki4B3kkrbmvKTyiU73hM1iws477suP55/P30TG8WEEjoB81aq2alkyz9o9SvJWh4rxKjOMRf+7a+mpn9HVCdHPS84ngHFOcPuE5rpQmi5fJCpjTqYnbjvmQT4i8lc6GkWVgW1Wr1NhkbsskJp9OwzQMIIkKpUSYmI7wD762J7OiZrWE89go1uinAsujx2w8sdp5tAJsJDfFHgSee5rbNPhT3tkgc8ixbJxbvE4uD0scthiG8LLn5ZBZB0zRcbhFxDAgMBAAGjggGwMIIBrDAfBgNVHSMEGDAWgBS2Q3vKzeAdsETr9CLNZZiKLg8rqzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAcBgNVHSUEFTATBggrBgEFBQcDAQYHKwYBBQIDBTB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQx5IekMAzEgcmQKOWku1r1Z3sMTDCBgAYDVR0RBHkwd6AyBgorBgEEAYI3FAIDoCQMImtyYnRndC9URVNUUkVMTS5URVNUQFRFU1RSRUxNLlRFU1SgQQYGKwYBBQICoDcwNaAPGw1URVNUUkVMTS5URVNUoSIwIKADAgEBoRkwFxsGa3JidGd0Gw1URVNUUkVMTS5URVNUMA0GCSqGSIb3DQEBCwUAA4IBAQCPukrunWzSy2nqI7DBYU93zFEosVk9KqXcnO6sdH0+NI454/bOrMUAYLCXqMGff77QLicJdisHJyMgXx6JS/JfSlFIB9u9sidEQ8Fy5Q2geZoZ5/hXmCPRCKpuDKZ2tOATyK1A8Pt4a2k3KvKOfdQIwPXhScx5qvFI65U3f3VL9KQRtDG9oeDfkGyi7+VvgkbxKkalGKvPuhghgsY3ZJxz2j0Fv2pbeDMR1fFVAHf+lDOoumnf/HUbR0+51D9ZH+qN7BLQ7R97p8BIBVq4brkxCH0TBhgDJpNQEcwejdyEJ9W2u9i/NvyTZgja+OUz4KAnFytBi9+YkRg5JgqL+OP8,
                     MIIC9zCCAd+gAwIBAgIJAOttvnOHqPYVMA0GCSqGSIb3DQEBCwUAMCwxHTAbBgNVBAoTFEV4YW1wbGUgT3JnYW5pemF0aW9uMQswCQYDVQQDEwJDQTAeFw0xNzA1MjQwOTQ2MzdaFw0xNzA2MjMwOTQ2MzdaMDgxFjAUBgNVBAoTDVRFU1RSRUxNLlRFU1QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQUn+LsMg3/TCEfH9R6HrgdqEpCt4ZO6xWQ1Yju9/r0qRoz9rNvBmR4dPcMSjvDjqRJg+0SvvC7ZDM5VVTnAClHB1VwVC6DHYdjNBFEPeeMUg553EKKHd38A3k4mKfMIIP1VxEMXAKLWbExNA2YreEqGUbGY4aFN13Iwk7ae2vgPkKyD2QliLqTQfhIg2YO1MazEnhYCxhteQyUjKorFTcECmG1MD3aaVO8rWBKRkT5J4J0SsTve03UkrxAccTHa+oASuMM5JDYORKEo5lemg3gROgjdAIWKGGiQN4gGKdEfHZ6ewTZU9PibdXV4DtbsiWZ3n2gFoFIPpQesyaUeckCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd1zNr9zPU8QRhz7D5U6ucnvK4HVhP47AhGIg7c9Apb+4jE/rQwCmKEpn2hwP/kVH0IWacqr3GoU+Xn2YxmsvN7AjT6OBJ8UZkVn/P/+DUZ5MH119b805QPnRNWYB1/9IhyLwMgUvFHZoWHTakw+D9noiyoRrkw0GB68M7qu6ARDhhi0c04M9QlRFj7Liyjkl2xVNAFiGJ84utDz498BYIpYhBxJBlGLo6LVS3j4LBzqxBKqQYezm4qDtHjjl1z+asxtiRz21cPwZP8+JHPzGeDgZqkukclETq6A46uEh2eT4wP5PNEIMQTO9n1dCQfRkQ06xFGdcgyWjGJ0FLn/GeQ==,
                     MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAsMR0wGwYDVQQKExRFeGFtcGxlIE9yZ2FuaXphdGlvbjELMAkGA1UEAxMCQ0EwHhcNMTcwNTI0MDg0MjU0WhcNMjcwNTI0MDg0MjU0WjAsMR0wGwYDVQQKExRFeGFtcGxlIE9yZ2FuaXphdGlvbjELMAkGA1UEAxMCQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDj+HUUHB9CC0ut7rrapvsqKrMxNSOuN+0ooOzKfwSD7hJbvqPrNzgcmJBVEBy2IXu1ju4UzFEUSv/0M+B7+W60Tp2uWxYWQNpa3ngiAonvQrrUrvmrw2enYWWIWd2Ik9hkk7eRE/9L2qxBY8KNRIsSiwQYO9+X5TUd+vdEg/yeJcUjmFxTdqFU/djtjxAO4tEsFhDT7TggaUYh/cuCF7oeH2Q6kIGY4mGjIZY7fOiR75KWKayopOpVJRyNQ/eDR0aJva7jXgg0XAEgWJRMKnuonsWGQDnU1pey9sl/ZIB0sK7Z43ASUjpLXALEHWh17S2Iaukus5258M7QVPVZ9IWzAgMBAAGjTzBNMA4GA1UdDwEB/wQEAwIBxjAPBgNVHRMBAf8EBTADAQH/MCoGA1UdHwQjMCEwH6AdoBuGGWZpbGU6Ly8vdG1wL25zc2RiL2NhMS5jcmwwDQYJKoZIhvcNAQELBQADggEBABo1E/mFksbwVVuBuEawm5scswMQwieKyUpihxIU4ozghuG2cCvW/9rbqzlebU445YDQsCriJv+p3a0+Y8S4QRQc1FaPYB843rW9b0Q97cc+iL3V/opEfr0yjZX2hEwvRSzXm94zHW/oQ9J/7+V/mLogV0j4TkFuBMsXw9AQiQ2Ie4K5oY42dtYVlgdJ9JU5ptwv/FWPFbEuzu7ARLeK35GVpljmNKj1Ef1gE4WYo6C1D3CC/ybDZnYJI6E4eiUktQ496FU4f4J0fA+HUwCgD04ylo2keEj4n0d1bT8pmRFWhM3PRAO8q6JLoUaZf3xCcodSQ6k0J/yVt0BhQeiFiZ8=
  Subject: CN=master.testrelm.test,O=TESTRELM.TEST
  Subject UPN: krbtgt/TESTRELM.TEST
  Subject Kerberos principal name: krbtgt/TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Wed May 24 09:52:12 2017 UTC
  Not After: Fri Jun 23 09:46:37 2017 UTC
  Serial number: 10
  Serial number (hex): 0xA
  Revoked: False


5. Check if we have full CA chain in new service certificate.

[root@master ~]# openssl genrsa -out tester.key 2048
Generating RSA private key, 2048 bit long modulus
...................................................+++
..........................+++
e is 65537 (0x10001)

[root@master ~]# openssl req -new -sha256 -key tester.key -out tester.csr
<snip>
Common Name (eg, your name or your server's hostname) []:tester.testrelm.test
<snip>

[root@master ~]# ipa host-add tester.testrelm.test --force
---------------------------------
Added host "tester.testrelm.test"
---------------------------------
  Host name: tester.testrelm.test
  Principal name: host/tester.testrelm.test
  Principal alias: host/tester.testrelm.test
  Password: False
  Keytab: False
  Managed by: tester.testrelm.test

[root@master ~]# ipa cert-request --add --principal=HTTP/tester.testrelm.test tester.csr
  Issuing CA: ipa
  Certificate: MIIEGjCCAwKgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI0MTAzNTQyWhcNMTcwNjIzMDk0NjM3WjA3MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR0wGwYDVQQDDBR0ZXN0ZXIudGVzdHJlbG0udGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqIhFF9ny0iczfD8UeZEE8IKxqi1l6l0oLes4WmA/Qofd893dk2kWbdc92t7+W2t9IKSTqXfnqwuoJp8JQN/wyEkYBD+JaLfq8THUs8F36/AqnTsAUDDaVvPdfCe8Kc+Npivr655h7h95lyQ/EbI58gj1u1IV9AYzu9+i1hwvkcSyjbrREqWH7D9UZZKwiVb0vVwkpUirr5LkKUuzQl2oNHTfUrJboggn2yHhBBm9GHHh1VuIVHscWk/W0sKEhK4KzsS7BV789ZUu/IKi8Vv48/LHMZUdHoj+WnSev9nVPEryepXqHvTopQOtVZNHhhYjqBZp8vyDn9+QlSGP5tWpECAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFLZDe8rN4B2wROv0Is1lmIouDyurMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQm5VMR5Rz5nazYJORSiKUehjAyXjANBgkqhkiG9w0BAQsFAAOCAQEARIFqKfwQQnb1+E7aUcG4DhFm0M4q0k4HY+nBa74JLzGxrlISDaXt9ddsHvkt237f+dF3+azQMJ+VL734N/1AMzNbihqegfVDmTOO3SuS1u97TfyNTOL/mD+ZHcmyWoUdI4f2AH7v1eyxV9IWPqFsuKXcqnqPMgM90DPBC27vMyT7lHHwezdChGAUny5/bXSBcNCV0NN+RJpbI7v4UKUuyF/oOw2RTozyCG+1WjPlitnxoPB5piGdcMigRMGaRVui4eSmz2ocO8TaO2QysXjx6QZH7yam+sZ4RA/h4jfRsSReO7qg7JabemYjbCaK6kkdx/AmOM79AcgCUHlV2htzqA==
  Subject: CN=tester.testrelm.test,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Wed May 24 10:35:42 2017 UTC
  Not After: Fri Jun 23 09:46:37 2017 UTC
  Serial number: 11
  Serial number (hex): 0xB

[root@master ~]# ipa cert-show --all
Serial number: 11
  Issuing CA: ipa
  Certificate: MIIEGjCCAwKgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI0MTAzNTQyWhcNMTcwNjIzMDk0NjM3WjA3MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR0wGwYDVQQDDBR0ZXN0ZXIudGVzdHJlbG0udGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqIhFF9ny0iczfD8UeZEE8IKxqi1l6l0oLes4WmA/Qofd893dk2kWbdc92t7+W2t9IKSTqXfnqwuoJp8JQN/wyEkYBD+JaLfq8THUs8F36/AqnTsAUDDaVvPdfCe8Kc+Npivr655h7h95lyQ/EbI58gj1u1IV9AYzu9+i1hwvkcSyjbrREqWH7D9UZZKwiVb0vVwkpUirr5LkKUuzQl2oNHTfUrJboggn2yHhBBm9GHHh1VuIVHscWk/W0sKEhK4KzsS7BV789ZUu/IKi8Vv48/LHMZUdHoj+WnSev9nVPEryepXqHvTopQOtVZNHhhYjqBZp8vyDn9+QlSGP5tWpECAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFLZDe8rN4B2wROv0Is1lmIouDyurMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQm5VMR5Rz5nazYJORSiKUehjAyXjANBgkqhkiG9w0BAQsFAAOCAQEARIFqKfwQQnb1+E7aUcG4DhFm0M4q0k4HY+nBa74JLzGxrlISDaXt9ddsHvkt237f+dF3+azQMJ+VL734N/1AMzNbihqegfVDmTOO3SuS1u97TfyNTOL/mD+ZHcmyWoUdI4f2AH7v1eyxV9IWPqFsuKXcqnqPMgM90DPBC27vMyT7lHHwezdChGAUny5/bXSBcNCV0NN+RJpbI7v4UKUuyF/oOw2RTozyCG+1WjPlitnxoPB5piGdcMigRMGaRVui4eSmz2ocO8TaO2QysXjx6QZH7yam+sZ4RA/h4jfRsSReO7qg7JabemYjbCaK6kkdx/AmOM79AcgCUHlV2htzqA==
  Certificate chain: MIIEGjCCAwKgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI0MTAzNTQyWhcNMTcwNjIzMDk0NjM3WjA3MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR0wGwYDVQQDDBR0ZXN0ZXIudGVzdHJlbG0udGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqIhFF9ny0iczfD8UeZEE8IKxqi1l6l0oLes4WmA/Qofd893dk2kWbdc92t7+W2t9IKSTqXfnqwuoJp8JQN/wyEkYBD+JaLfq8THUs8F36/AqnTsAUDDaVvPdfCe8Kc+Npivr655h7h95lyQ/EbI58gj1u1IV9AYzu9+i1hwvkcSyjbrREqWH7D9UZZKwiVb0vVwkpUirr5LkKUuzQl2oNHTfUrJboggn2yHhBBm9GHHh1VuIVHscWk/W0sKEhK4KzsS7BV789ZUu/IKi8Vv48/LHMZUdHoj+WnSev9nVPEryepXqHvTopQOtVZNHhhYjqBZp8vyDn9+QlSGP5tWpECAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFLZDe8rN4B2wROv0Is1lmIouDyurMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQm5VMR5Rz5nazYJORSiKUehjAyXjANBgkqhkiG9w0BAQsFAAOCAQEARIFqKfwQQnb1+E7aUcG4DhFm0M4q0k4HY+nBa74JLzGxrlISDaXt9ddsHvkt237f+dF3+azQMJ+VL734N/1AMzNbihqegfVDmTOO3SuS1u97TfyNTOL/mD+ZHcmyWoUdI4f2AH7v1eyxV9IWPqFsuKXcqnqPMgM90DPBC27vMyT7lHHwezdChGAUny5/bXSBcNCV0NN+RJpbI7v4UKUuyF/oOw2RTozyCG+1WjPlitnxoPB5piGdcMigRMGaRVui4eSmz2ocO8TaO2QysXjx6QZH7yam+sZ4RA/h4jfRsSReO7qg7JabemYjbCaK6kkdx/AmOM79AcgCUHlV2htzqA==,
                     MIIC9zCCAd+gAwIBAgIJAOttvnOHqPYVMA0GCSqGSIb3DQEBCwUAMCwxHTAbBgNVBAoTFEV4YW1wbGUgT3JnYW5pemF0aW9uMQswCQYDVQQDEwJDQTAeFw0xNzA1MjQwOTQ2MzdaFw0xNzA2MjMwOTQ2MzdaMDgxFjAUBgNVBAoTDVRFU1RSRUxNLlRFU1QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQUn+LsMg3/TCEfH9R6HrgdqEpCt4ZO6xWQ1Yju9/r0qRoz9rNvBmR4dPcMSjvDjqRJg+0SvvC7ZDM5VVTnAClHB1VwVC6DHYdjNBFEPeeMUg553EKKHd38A3k4mKfMIIP1VxEMXAKLWbExNA2YreEqGUbGY4aFN13Iwk7ae2vgPkKyD2QliLqTQfhIg2YO1MazEnhYCxhteQyUjKorFTcECmG1MD3aaVO8rWBKRkT5J4J0SsTve03UkrxAccTHa+oASuMM5JDYORKEo5lemg3gROgjdAIWKGGiQN4gGKdEfHZ6ewTZU9PibdXV4DtbsiWZ3n2gFoFIPpQesyaUeckCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd1zNr9zPU8QRhz7D5U6ucnvK4HVhP47AhGIg7c9Apb+4jE/rQwCmKEpn2hwP/kVH0IWacqr3GoU+Xn2YxmsvN7AjT6OBJ8UZkVn/P/+DUZ5MH119b805QPnRNWYB1/9IhyLwMgUvFHZoWHTakw+D9noiyoRrkw0GB68M7qu6ARDhhi0c04M9QlRFj7Liyjkl2xVNAFiGJ84utDz498BYIpYhBxJBlGLo6LVS3j4LBzqxBKqQYezm4qDtHjjl1z+asxtiRz21cPwZP8+JHPzGeDgZqkukclETq6A46uEh2eT4wP5PNEIMQTO9n1dCQfRkQ06xFGdcgyWjGJ0FLn/GeQ==,
                     MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAsMR0wGwYDVQQKExRFeGFtcGxlIE9yZ2FuaXphdGlvbjELMAkGA1UEAxMCQ0EwHhcNMTcwNTI0MDg0MjU0WhcNMjcwNTI0MDg0MjU0WjAsMR0wGwYDVQQKExRFeGFtcGxlIE9yZ2FuaXphdGlvbjELMAkGA1UEAxMCQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDj+HUUHB9CC0ut7rrapvsqKrMxNSOuN+0ooOzKfwSD7hJbvqPrNzgcmJBVEBy2IXu1ju4UzFEUSv/0M+B7+W60Tp2uWxYWQNpa3ngiAonvQrrUrvmrw2enYWWIWd2Ik9hkk7eRE/9L2qxBY8KNRIsSiwQYO9+X5TUd+vdEg/yeJcUjmFxTdqFU/djtjxAO4tEsFhDT7TggaUYh/cuCF7oeH2Q6kIGY4mGjIZY7fOiR75KWKayopOpVJRyNQ/eDR0aJva7jXgg0XAEgWJRMKnuonsWGQDnU1pey9sl/ZIB0sK7Z43ASUjpLXALEHWh17S2Iaukus5258M7QVPVZ9IWzAgMBAAGjTzBNMA4GA1UdDwEB/wQEAwIBxjAPBgNVHRMBAf8EBTADAQH/MCoGA1UdHwQjMCEwH6AdoBuGGWZpbGU6Ly8vdG1wL25zc2RiL2NhMS5jcmwwDQYJKoZIhvcNAQELBQADggEBABo1E/mFksbwVVuBuEawm5scswMQwieKyUpihxIU4ozghuG2cCvW/9rbqzlebU445YDQsCriJv+p3a0+Y8S4QRQc1FaPYB843rW9b0Q97cc+iL3V/opEfr0yjZX2hEwvRSzXm94zHW/oQ9J/7+V/mLogV0j4TkFuBMsXw9AQiQ2Ie4K5oY42dtYVlgdJ9JU5ptwv/FWPFbEuzu7ARLeK35GVpljmNKj1Ef1gE4WYo6C1D3CC/ybDZnYJI6E4eiUktQ496FU4f4J0fA+HUwCgD04ylo2keEj4n0d1bT8pmRFWhM3PRAO8q6JLoUaZf3xCcodSQ6k0J/yVt0BhQeiFiZ8=
  Subject: CN=tester.testrelm.test,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Wed May 24 10:35:42 2017 UTC
  Not After: Fri Jun 23 09:46:37 2017 UTC
  Fingerprint (SHA1): 2c:4e:cf:fd:03:a0:44:09:e7:3d:f9:31:03:c0:ef:55:c5:e8:93:fd
  Fingerprint (SHA256): 4d:57:1c:2d:ce:cc:cd:a4:aa:5e:da:c6:2e:0b:59:6b:62:f1:31:3b:e3:a3:a1:86:d2:99:ff:f8:d5:0c:d7:8d
  Serial number: 11
  Serial number (hex): 0xB
  Revoked: False
  Owner service: HTTP/tester.testrelm.test

Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:
https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available

The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html

IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304