Bug 514027

Summary: self-signed CA does not work with Firefox 3.5
Product: [Retired] freeIPA Reporter: Rob Crittenden <rcritten>
Component: ipa-serverAssignee: Rob Crittenden <rcritten>
Status: CLOSED UPSTREAM QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 1.2CC: benl, dpal, jgalipea
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 09:33:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 431020    
Attachments:
Description Flags
Add the CA constraint to the self-signed CA we generate none

Description Rob Crittenden 2009-07-27 17:25:25 UTC 
Description of problem:

Trying to use Firefox 3.5 and importing the IPA CA the following error is thrown:

This is not a certificate authority certificate, so it can't be imported into the certificate authority list.
Comment 1 Rob Crittenden 2009-07-27 17:26:46 UTC 
certutil needs the -2 option as well and it needs the following answers:

Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: > 
Is this a critical extension [y/N]?
Comment 2 Rob Crittenden 2009-08-17 14:03:21 UTC 
Created attachment 357653 [details]
Add the CA constraint to the self-signed CA we generate
Comment 3 Rob Crittenden 2009-08-24 21:20:30 UTC 
I'm working on a tool that can be run to replace an existing IPA CA. I've run into a couple of snags that need to be worked around before the tool is complete.

Deployment could also be problematic. All browser clients will need to trust the new CA and new server certs issued on the initial IPA server and all replicas. The exact steps for this are still being worked out.
Comment 4 Rob Crittenden 2009-08-27 20:51:02 UTC 
master: 38ae093c7bc1f90c4fe5edf4540efba57e86d8a3
ipa-1-2: 5bdeaf74fc6fcfe402322d21046176d5a8d66be3

Still working on replacement tool. Rich Megginson had a great idea, just re-issue the CA cert using the same keypair. The CA cert still needs to go out everywhere but certs don't need to be re-issued for all services.
Comment 5 Fedora Update System 2009-09-10 21:20:09 UTC 
ipa-1.2.2-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/ipa-1.2.2-1.fc10
Comment 6 Fedora Update System 2009-09-10 21:20:32 UTC 
ipa-1.2.2-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/ipa-1.2.2-1.fc11
Comment 7 Fedora Update System 2009-09-19 00:06:05 UTC 
ipa-1.2.2-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2009-09-19 00:10:45 UTC 
ipa-1.2.2-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.