Bug 1506526

Summary: Use X509v3 Basic Constraints "CA:TRUE" instead of "CA:FALSE" IPA CA CSR [rhel-7.4.z]
Product: Red Hat Enterprise Linux 7 Reporter: Oneata Mircea Teodor <toneata>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.3CC: amitkuma, dkupka, eric.burgueno, fbarreto, gparente, ipa-maint, ksiddiqu, mkosek, mrhodes, msauton, myusuf, nalin, pvoborni, pvomacka, rcritten, rvdwees, sigbjorn, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.5.0-22.el7_4 Doc Type: If docs needed, set a value
Doc Text:
Cause – ipa-cacert-manage renew --external-ca generates a CSR that does not contain the Basic Constraint CA: TRUE Consequence – the signing CA needs to add the constraint to the CA certificate it issues otherwise the resulting CA certificate will be invalid Fix – The Basic Constraint CA:TRUE is added to CSRs generated for the CA Result – The resulting CSR has appropriate constraints for a CA certificate
 Story Points: ---
Clone Of: 1427798 Environment:
Last Closed: 2017-11-30 16:01:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1427798    
Bug Blocks:    

Description Oneata Mircea Teodor 2017-10-26 09:35:58 UTC 
This bug has been copied from bug #1427798 and has been proposed to be backported to 7.4 z-stream (EUS).
Comment 2 Petr Vobornik 2017-10-27 15:40:52 UTC 
4.5 backport: https://github.com/freeipa/freeipa/pull/1217
Comment 4 Mohammad Rizwan 2017-11-02 09:14:19 UTC 
version:
ipa-server-4.5.0-22.el7_4.x86_64

steps:

1. Install master with selfsigned CA

2. Generate a csr to be signed by external CA 
       - ipa-cacert-manage renew --external-ca

3. Check for CA value in csr generated in 2
       - openssl req -in /var/lib/ipa/ca.csr -noout -text|grep CA

4. Sign the csr generated in 2 by external CA

5. Renew the CA with external CA cert and signed cert
       - ipa-cacert-manage renew --external-cert-file=/tmp/external.crt --external-cert-file=/tmp/ca_signing.crt

6. Check for CA value in signed cert and external cert

       - openssl x509 -in /tmp/external.crt -noout -text|grep CA
       - openssl x509 -in /tmp/ca_signing.crt -noout -text|grep CA

Expected result:
CA value should be TRUE

Actual result:

Master:

[root@master ~]# openssl req -in /var/lib/ipa/ca.csr -noout -text|grep CA
                CA:TRUE

[root@master ~]# openssl x509 -in /tmp/external.crt -noout -text|grep CA
        Issuer: O=EXTERNAL, CN=External CA
        Subject: O=EXTERNAL, CN=External CA
                87:1A:E8:60:0E:D6:0E:AF:E0:6A:A3:9B:BC:C5:16:2B:04:BF:72:CA
                CA:TRUE

[root@master ~]# openssl x509 -in /tmp/ca_signing.crt -noout -text|grep CA
        Issuer: O=EXTERNAL, CN=External CA
                5E:2D:24:D0:B9:DB:8A:18:D7:F0:D2:01:CA:74:E3:07:94:7F:5C:61
                keyid:87:1A:E8:60:0E:D6:0E:AF:E0:6A:A3:9B:BC:C5:16:2B:04:BF:72:CA
                CA:TRUE
Comment 5 Mohammad Rizwan 2017-11-02 09:20:08 UTC 
Marking as verified as per comment#4
Comment 9 errata-xmlrpc 2017-11-30 16:01:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3319