Bug 828866
| Summary: | [RFE] enhance --subject option for ipa-server-install | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Dmitri Pal <dpal> | ||||||
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Abhijeet Kasurde <akasurde> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 7.0 | CC: | atolani, cobrown, ftweedal, gparente, jcholast, jgalipea, kludhwan, ldelouw, mkosek, nsoman, pvoborni, shetze, smeyer, tscherf | ||||||
| Target Milestone: | rc | Keywords: | FutureFeature | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | ipa-4.5.0-1.el7 | Doc Type: | Enhancement | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2017-08-01 09:37:23 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1396494, 1399979 | ||||||||
| Attachments: |
|
||||||||
|
Description
Dmitri Pal
2012-06-05 13:42:17 UTC
*** Bug 1283602 has been marked as a duplicate of this bug. *** Created attachment 1176656 [details]
Proposed patch (PoC) to add --subject_cn and --subject_mail options to ipa-server-install
This patch replaces all hardcoded "Certificate Authority" settings for the CA Cert subject with an optional subject_cn and even an additional subject_mail as RDN.
The patch also extends the ipaGuiConfig OC with ipaCertificateSubjectRdn attribute to keep track of this new setting.
This patch is certainly not perfect and has only been tested in a limited number of use cases. However, it should be a viable starting point for productizing this new feature.
A clarification regarding requirements and use case: 3. What is the nature and description of the request? Currently, the subject for a IPA generated CA cert is built of two components, a subject base DN (subject_base) and a static common name: 'CN=Certificate Authority'. While the subject_base is customizable via a command line option to ipa-server-install, the common name is hard coded into the installer. It is required to have the common name component of the subject DN customizable. In addition, it is required to allow an additional and optional emailAddress component prepended to the subject DN as most significant component. 4. Why does the customer need this? (List the business requirements here) The customer needs to integrate IPA into an existing chain of trust. The IPA generated CA certificate needs to be signed by an superordinate PKI. To allow the IPA CA cert to be signed by the superordinate PKI, it needs to meet certain criteria, including a particular customer specific common name and an additional emailAddress to clearly identify the subordinate CA. The current hard coded common name does not meet the requirements and therefor makes the integration of IPA into the existing PKI impossible. This in turn leaves the Linux/Unix IT operations dependent from the superordinate PKI even in cases, where creation of service certs could perfectly be delegated to this Linux/Unix IT Ops in accordance to existing compliance rules and operational processes. 5. How would the customer like to achieve this? (List the functional requirements here) The customer would like to get options to customize the common name and add an email address to the CA cert subject upon creation with ipa-server-install --external-ca. 6. For each functional requirement listed in question 5, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. The new feature (option) must result in a CA cert CSR with subject line like /usr/lib64/nss/unsupported-tools/pp -t cr -a -i /root/ipa.csr|grep Subject: Subject: E=caadmin,CN=Custom CA Name,OU=Example IT,O=Example Corp,L=City,ST=State,C=US openssl req -text -noout -in /root/ipa.csr |grep Subject: Subject: C=US,ST=State,L=City,O=Example Corp,OU=Example IT,CN=Custom CA Name/emailAddress=caadmin This IPA CA CSR must be signable by an Active Directory PKI and that signed certificate must be usable to proceed with the IPA server installation. In particular, IPA must be able to provide and accept the canonical order of subject attributes with emailAddress as most significant attribute, like shown in the example above. Upstream ticket: https://fedorahosted.org/freeipa/ticket/6455 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/324183cd63aeadbaa9678d610ba59e1295a606fe https://fedorahosted.org/freeipa/changeset/db6674096c598918ea6b12ca33a96cf5e617a434 https://fedorahosted.org/freeipa/changeset/c6db493b06320455a2366945911939a605df2a73 https://fedorahosted.org/freeipa/changeset/6f3eb85c302f54bec561337e6627c89144b589ff https://fedorahosted.org/freeipa/changeset/46bf0e89ae054b34adc66d08f205a5155e6f3fd6 https://fedorahosted.org/freeipa/changeset/f54df62abae4a15064bf297634558eb9be83ce33 https://fedorahosted.org/freeipa/changeset/09a65df6842411d42966111e50924df3de0b7031 https://fedorahosted.org/freeipa/changeset/3d01ec14c6e36fa962d0c54b2e08df0ecd401bd6 https://fedorahosted.org/freeipa/changeset/3f5660973251fe4b178e6486b6b86fbdd162d4d6 https://fedorahosted.org/freeipa/changeset/0c95a00147b1dd508736dacc847873ddddafb504 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/87400cdec1054971f50f90a0c63f18ab045f3833 Verified using IPA version :: ipa-server-4.5.0-13.el7.x86_64 Marking BZ as verified. See attachment for console.log. Created attachment 1281012 [details]
console.log
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here: https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |