Bug 802912
| Summary: | Error submitting certificate signing request | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Rob Crittenden <rcritten> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.3 | CC: | jgalipea, ksiddiqu, mkosek, turchi |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.2.0-6.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: IPA certificate did not read a custom user certificate subject base when validating a new certificate issuer.
Consequence: When IPA server is installed with a custom subject base and does not use default subject base, issuing new certificates in IPA Certificate Authority may return "invalid issuer" errors.
Fix: Custom user certificate subject base is always read before the certificate issuer is being validated.
Result: IPA server with a custom subject base no longer raise "invalid issuer" errors when certificates are being issued.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 13:21:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Rob Crittenden
2012-03-13 18:27:05 UTC
Please add steps to reproduce this issue. Thanks Install IPA using --subject= something other than O=$REALM and issue a certificate using ipa cert-request. fixed upstream master: 6d5555eb54cdbe19d4f2f05a340b9ea7ccf2369f ipa-2-2: 5babb3637358c034db6a26c8d64e1edde640fc80 To test install using the --subject option (e.g. O=Test) and confirm that issued certificates use this subject base and certificates can be issued using ipa cert-request. Verified IPA Sever version: ================== [root@ipa63server tmp]# rpm -q ipa-server ipa-server-2.2.0-7.el6.x86_64 [root@ipa63server tmp]# (1)Installation is successful with --subject="O=Test" [root@ipa63server ipa-cert]# ipa-server-install --hostname=`hostname` -r TESTRELM.COM -n testrelm.com --subject="O=Test" -p Secret123 -P Secret123 -a Secret123 -U (2)Certificates issued are having subject based as "Test" [root@ipa63server ipa-cert]# ipa cert-show 1|grep Test Subject: CN=Certificate Authority,O=Test Issuer: CN=Certificate Authority,O=Test [root@ipa63server ipa-cert]# (3)Also "ipa cert-request" issues certificate with same subject base "O=Test" . [root@ipa63server tmp]# ipa cert-request test.req --add --principal=service/ipa63server.testrelm.com --request-type=pkcs10 Certificate: MIIDlzCCAn+gAwIBAgIBDDANBgkqhkiG9w0BAQsFADAvMQ0wCwYDVQQKEwRUZXN0MR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIwNDAzMTEwMjE3WhcNMTQwNDA0MTEwMjE3WjAyMQ0wCwYDVQQKEwRUZXN0MSEwHwYDVQQDExhpcGE2M3NlcnZlci50ZXN0cmVsbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChdyYt8cIOsU6dBYfBnVk5+h7QB83OfhgLpvtEDOH7kn7GZVUcp1k3Y2UcR2+oYNrzC51XxwthakC5bFZs8mKiBba60lHC41nYv8yZDkkM1ZBEPY+fADHgZeRcEwTZ3hgoZUJVbRPpjdIzQmBh0IVVi3eSF822emMXVuNpGs3JPbAMuybjB2cuEDC789daPZp//zNcV6VbV05TVzWzVZqaVfhY9DyIAsaP4uXgYWqApNzw3js/aXf7A6+a2aiQ+H7S8aLO3DcVoD6bVAsJHIxZmG/ScBbOcwALql3+Jjj4L/VHgarPOR/JjLqFfgKVaczqVgOo+wC37gjMxKt53tftAgMBAAGjgbowgbcwHwYDVR0jBBgwFoAUU6+MY+ERx1sYN0OZhpxnVeLK0pswRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhNjNzZXJ2ZXIudGVzdHJlbG0uY29tOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUlNV+WCUey9Pm9zJzcmfI8IC9GZYwDQYJKoZIhvcNAQELBQADggEBAJ5b8W2z82jTBVtSwzPNdvcBA3/GonKaJ11y2Mhu6yh2rt1MefNj3vjxp1cuxl5+RnQ1ssdDVCuy7zCPHhzwcOHmKgxvECBg6PnNrO4ZXL1KhxYaJ8WNxlOF63tw3V/d4gEsC6hctqQ4ZHG0gWqTFB9QFYhJuMgEJgw1Jari8Jg/EXR5BwjpH0u0pQp/os5ijD4gO8G07QJ1xSZpg4ZyThFqOtvC/oiq604xNfRBb3I3N+9gitzkDD1uYso6MM/w7uJtG+9oPHgC7TKhI216bECWBSijmXj8XjRJeLztloxZWMFWw2ohMWYYzwQAG3SU9q8f2nb/jCtTpzz2LdtLeiA= Subject: CN=ipa63server.testrelm.com,O=Test Issuer: CN=Certificate Authority,O=Test Not Before: Tue Apr 03 11:02:17 2012 UTC Not After: Fri Apr 04 11:02:17 2014 UTC Fingerprint (MD5): e7:2b:02:d3:8d:21:6d:a0:d8:55:3d:90:08:8d:58:19 Fingerprint (SHA1): dd:67:1f:be:2b:aa:d6:b2:13:13:cf:73:36:ae:8d:1b:9f:55:62:e3 Serial number: 12 Serial number (hex): 0xC [root@ipa63server tmp]#
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause: IPA certificate did not read a custom user certificate subject base when validating a new certificate issuer.
Consequence: When IPA server is installed with a custom subject base and does not use default subject base, issuing new certificates in IPA Certificate Authority may return "invalid issuer" errors.
Fix: Custom user certificate subject base is always read before the certificate issuer is being validated.
Result: IPA server with a custom subject base no longer raise "invalid issuer" errors when certificates are being issued.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html |