1112605 – [RFE] Add support for SubjectAltNames (SAN) to IPA service certificates

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1112605 - [RFE] Add support for SubjectAltNames (SAN) to IPA service certificates

Summary: [RFE] Add support for SubjectAltNames (SAN) to IPA service certificates

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-24 10:15 UTC by Martin Kosek
Modified:	2018-12-09 18:02 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.0.3-1.el7
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:12:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description Martin Kosek 2014-06-24 10:15:56 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3977

This may be partially related to bug #3196

It should be possible to ask dogtag to sign a certificate request which includes a subject alternative name.

Currently, the only profile available is caIPAserviceCert, which ignores requests with subject alt names. 

The effect of this is that it's not possible to use a command such as the below to generate the needed certificate:

[root@ipa-server ~]# ipa-getcert request -k /root/test.key -f /root/test.crt -N "cn=ipa-server.test.com" -D "cn=auth.test.com" -D "blah.test.com" -D "blah" -D "auth" -K ldap/ipa-server.test.com

i.e: generate a new service certificate for a service which includes a subject alternative name. This prevents load balanced IPA operation for SSL traffic.

Although DNS SRV records can be used for some applications (such as sssd) - many applications don't work with SRV records, and/or only allow one ldap service be specified. 

Using load balencing for this, you'll need a subject alternative name in the ldap service certificates, but (as stated above) the signing request gets ignored by dogtag as IPA is unable to use a profile which can accommodate this.

Comment 1 Martin Kosek 2014-06-24 10:16:47 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/e675e427c713e41a5384d329bf453a998a70bb13
https://fedorahosted.org/freeipa/changeset/d6fb110b77e2c585f0bfc5eb11b0187a43263fa1
https://fedorahosted.org/freeipa/changeset/8b8774d138348ab4b938f98dc106ea983e261262

Comment 3 Martin Kosek 2014-09-16 14:44:44 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4540

Comment 4 Martin Kosek 2014-10-08 07:23:15 UTC

Ticket 4540 fixed upstream, better error message provided:

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/8e602eaf46b71ad8f713f549d6a823c70567bb22
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/ed5ffbfd75f3f1a62581c50a2c64d9e75fc74081
ipa-4-0:
https://fedorahosted.org/freeipa/changeset/80da03a2169de3a78edec42c1eab1f87734f49a7

Comment 8 Scott Poore 2015-01-26 17:55:57 UTC

Verified.

Version ::

ipa-server-4.1.0-16.el7.x86_64

Results ::

Test as admin:

[root@rhel7-1 ~]# ipa host-add test101.example.com --ip-address=192.168.122.101
--------------------------------
Added host "test101.example.com"
--------------------------------
  Host name: test101.example.com
  Principal name: host/test101.example.com
  Password: False
  Keytab: False
  Managed by: test101.example.com

[root@rhel7-1 ~]# ipa service-add HTTP/test101.example.com
----------------------------------------------------
Added service "HTTP/test101.example.com"
----------------------------------------------------
  Principal: HTTP/test101.example.com
  Managed by: test101.example.com

[root@rhel7-1 ~]# ipa dnsrecord-add example.com test1 --a-rec=192.168.122.101
  Record name: test1
  A record: 192.168.122.101

[root@rhel7-1 ~]# ipa host-add test1.example.com --force
------------------------------
Added host "test1.example.com"
------------------------------
  Host name: test1.example.com
  Principal name: host/test1.example.com
  Password: False
  Keytab: False
  Managed by: test1.example.com

[root@rhel7-1 ~]# ipa service-add-host --hosts=$(hostname) HTTP/test101.example.com
  Principal: HTTP/test101.example.com
  Managed by: test101.example.com, rhel7-1.example.com
-------------------------
Number of members added 1
-------------------------

[root@rhel7-1 ~]# ipa service-add HTTP/test1.example.com
--------------------------------------------------
Added service "HTTP/test1.example.com"
--------------------------------------------------
  Principal: HTTP/test1.example.com
  Managed by: test1.example.com

[root@rhel7-1 ~]# ipa service-add-host --hosts=$(hostname) HTTP/test1.example.com
  Principal: HTTP/test1.example.com
  Managed by: test1.example.com, rhel7-1.example.com
-------------------------
Number of members added 1
-------------------------

[root@rhel7-1 ~]# mkdir -p /tmp/mycerts

[root@rhel7-1 ~]# semanage fcontext -a -t cert_t "/tmp/mycerts(/.*)?"

[root@rhel7-1 ~]# restorecon -FvvR /tmp/mycerts/
restorecon reset /tmp/mycerts context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:cert_t:s0

[root@rhel7-1 ~]# touch /tmp/mycerts/test101.crt

[root@rhel7-1 ~]# openssl genpkey -algorithm RSA -out /tmp/mycerts/test101.key
...........++++++
.........++++++

[root@rhel7-1 ~]# ipa-getcert request \
>     -k /tmp/mycerts/test101.key \
>     -f /tmp/mycerts/test101.crt \
>     -N "cn=test101.example.com" \
>     -D "test101.example.com" \
>     -D "test1.example.com" \
>     -K HTTP/test101.example.com
New signing request "20150126173620" added.


[root@rhel7-1 ~]# openssl x509 -in /tmp/mycerts/test101.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11 (0xb)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=EXAMPLE.COM, CN=Certificate Authority
        Validity
            Not Before: Jan 26 17:36:21 2015 GMT
            Not After : Jan 26 17:36:21 2017 GMT
        Subject: O=EXAMPLE.COM, CN=test101.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
...trunc...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:7A:A3:45:B8:67:72:97:28:9D:54:87:6A:07:F2:E6:56:EB:68:D0:0C

            Authority Information Access: 
                OCSP - URI:http://ipa-ca.example.com/ca/ocsp

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://ipa-ca.example.com/ipa/crl/MasterCRL.bin
                CRL Issuer:
                  DirName: O = ipaca, CN = Certificate Authority

            X509v3 Subject Key Identifier: 
                5F:68:93:2D:A1:FF:4F:DC:A7:A9:F3:C6:BD:30:F3:C1:AE:06:84:75
            X509v3 Subject Alternative Name: 
                DNS:test101.example.com, DNS:test1.example.com, othername:<unsupported>, othername:<unsupported>
 ....trunc....


### So I can see the SANs above.

Now to test with a non-admin user:

[root@rhel7-1 ~]# ipa host-add test102.example.com --ip-address=192.168.122.102
--------------------------------
Added host "test102.example.com"
--------------------------------
  Host name: test102.example.com
  Principal name: host/test102.example.com
  Password: False
  Keytab: False
  Managed by: test102.example.com
[root@rhel7-1 ~]# ipa dnsrecord-add example.com test2 --a-rec=192.168.122.102
  Record name: test2
  A record: 192.168.122.102
[root@rhel7-1 ~]# ipa host-add test2.example.com
------------------------------
Added host "test2.example.com"
------------------------------
  Host name: test2.example.com
  Principal name: host/test2.example.com
  Password: False
  Keytab: False
  Managed by: test2.example.com
[root@rhel7-1 ~]# ipa service-add HTTP/test2.example.com
--------------------------------------------------
Added service "HTTP/test2.example.com"
--------------------------------------------------
  Principal: HTTP/test2.example.com
  Managed by: test2.example.com
[root@rhel7-1 ~]# ipa service-add-host --hosts=$(hostname) HTTP/test2.example.com
  Principal: HTTP/test2.example.com
  Managed by: test2.example.com, rhel7-1.example.com
-------------------------
Number of members added 1
-------------------------
[root@rhel7-1 ~]# ipa service-add HTTP/test102.example.com
----------------------------------------------------
Added service "HTTP/test102.example.com"
----------------------------------------------------
  Principal: HTTP/test102.example.com
  Managed by: test102.example.com
[root@rhel7-1 ~]# ipa service-add-host --hosts=$(hostname) HTTP/test102.example.com
  Principal: HTTP/test102.example.com
  Managed by: test102.example.com, rhel7-1.example.com
-------------------------
Number of members added 1
-------------------------
[root@rhel7-1 ~]# echo redhat|ipa user-add user102 --first=f --last=l --password
--------------------
Added user "user102"
--------------------
  User login: user102
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/user102
  GECOS: f l
  Login shell: /bin/sh
  Kerberos principal: user102
  Email address: user102
  UID: 647600001
  GID: 647600001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@rhel7-1 ~]# echo -e "redhat\nSecret123\nSecret123\n"| kinit user102
Password for user102: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[root@rhel7-1 ~]# kdestroy -A
[root@rhel7-1 ~]# echo Secret123|kinit admin
Password for admin: 
[root@rhel7-1 ~]# ipa role-add --desc="Cert Admins" crtadmin
---------------------
Added role "crtadmin"
---------------------
  Role name: crtadmin
  Description: Cert Admins
[root@rhel7-1 ~]# ipa role-add-privilege --privileges="Certificate Administrators" crtadmin
  Role name: crtadmin
  Description: Cert Admins
  Privileges: Certificate Administrators
----------------------------
Number of privileges added 1
----------------------------
[root@rhel7-1 ~]# ipa role-add-member --users=user102 crtadmin
  Role name: crtadmin
  Description: Cert Admins
  Member users: user102
  Privileges: Certificate Administrators
-------------------------
Number of members added 1
-------------------------
[root@rhel7-1 ~]# ipa role-add --desc="Service Admins" svcadmin
---------------------
Added role "svcadmin"
---------------------
  Role name: svcadmin
  Description: Service Admins
[root@rhel7-1 ~]# ipa role-add-privilege --privileges="Service Administrators" svcadmin
  Role name: svcadmin
  Description: Service Admins
  Privileges: Service Administrators
----------------------------
Number of privileges added 1
----------------------------
[root@rhel7-1 ~]# ipa role-add-member --users=user102 svcadmin
  Role name: svcadmin
  Description: Service Admins
  Member users: user102
  Privileges: Service Administrators
-------------------------
Number of members added 1
-------------------------
[root@rhel7-1 ~]# authconfig --enablemkhomedir --update
[root@rhel7-1 ~]# ssh user102@$(hostname)
user102.com's password: 
Creating home directory for user102.
-sh-4.2$ cat > san.cnf <<EOF
> [req]
> default_bits = 2048
> distinguished_name = req_distinguished_name
> req_extensions = v3_req
> prompt = no
> encrypt_key = no
> 
> [req_distinguished_name]
> countryName = US
> stateOrProvinceName = Illinois
> localityName = Chicago
> 0.organizationName = RedHat
> organizationalUnitName = QE
> commonName = test102.example.com
> emailAddress = root
> 
> [ v3_req ]
> subjectAltName = @alt_names
> 
> [alt_names]
> DNS.1 = test102.example.com
> DNS.2 = test2.example.com
> EOF
-sh-4.2$ openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout server.key -config san.cnf
Generating a 2048 bit RSA private key
................+++
............................+++
writing new private key to 'server.key'
-----
-sh-4.2$ ipa cert-request server.csr --principal=HTTP/test102.example.com
  Certificate: MIIERDCCAyygAwIBAgIBCzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtFWEFNUExFLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE1MDEyNjE3NTE1M1oXDTE3MDEyNjE3NTE1M1owNDEUMBIGA1UECgwLRVhBTVBMRS5DT00xHDAaBgNVBAMME3Rlc3QxMDIuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLngisJX+eS9SoTlYq8ZW9ep1NEPuitoZMp3ng3raqN1ZtIJYTE3OxyKGc+oeW6PGl8Rjk1EY0mpxQdVg2tFw9+zoALl/HNIc9TUjfq6mgP1Y3ynrztcoNbgkbP5R8X3FOX/iumBtbO5ZLR+3FWcadIwjxDyehgXV2oowvIsDirxn7mILt64Vreasm8v4siKVH3nFjhGR/ZDdzHZiMRSyMswoYj2Reb841eLFhjXtFTQC4r8gjOx8dNxMyQw94B5y1xr4siKEjIrG/qmKXZX8oc1E11zQId12ilbaFDiFPpEYYqfbFIS41OGIju+gdCs0iDAFxzG/6i4kpPN5S+MQVAgMBAAGjggFdMIIBWTAfBgNVHSMEGDAWgBR6o0W4Z3KXKJ1Uh2oH8uZW62jQDDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6Ly9pcGEtY2EuZXhhbXBsZS5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHYGA1UdHwRvMG0wa6AzoDGGL2h0dHA6Ly9pcGEtY2EuZXhhbXBsZS5jb20vaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQxOZurqS/wUbEzfjVgPonJ2fafXjAxBgNVHREEKjAoghN0ZXN0MTAyLmV4YW1wbGUuY29tghF0ZXN0Mi5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAh9bXHpCJGaETgncBsGmYP0w5O/59ZIgV53LBLk7VazZBiP6e7DkvuZgFPmKZmBlWUq9lhByvKSI0l6gXRrRgsUoMX5lNlVWyZayObE7ozF+JIJacmdr073cKy5F5HzaprvOkeRi9tSnKJnv6bvbKNkpsOUKNr6b5HOzvMM0AEKXEmDrj9PNaO84FEnocw2Kh/R27QQEy/oSbL9iqC0R5oaY/f5wFto7HFfvBFNmM0e6FL7KoDlgN5/DF3BYooiMY+4x5rnitK26wkKq7oBwBh0+VTbEGwYorFjvGuVkDmRh64IWPkPItzFW2zPyLGJd+EbMMCJXnBEZqqpkAl0g7Kg==
  Subject: CN=test102.example.com,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Mon Jan 26 17:51:53 2015 UTC
  Not After: Thu Jan 26 17:51:53 2017 UTC
  Fingerprint (MD5): 55:f7:91:be:30:ac:0d:7f:be:fa:9f:5c:80:80:0f:00
  Fingerprint (SHA1): 4c:75:c6:e7:68:28:fa:98:b5:d4:78:71:96:3e:51:48:74:a2:b1:7a
  Serial number: 11
  Serial number (hex): 0xB
-sh-4.2$ ipa cert-show 11 --out=mycert.crt
  Certificate: MIIERDCCAyygAwIBAgIBCzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtFWEFN
UExFLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE1MDEy
NjE3NTE1M1oXDTE3MDEyNjE3NTE1M1owNDEUMBIGA1UECgwLRVhBTVBMRS5DT00x
HDAaBgNVBAMME3Rlc3QxMDIuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDLngisJX+eS9SoTlYq8ZW9ep1NEPuitoZMp3ng3raqN1Zt
IJYTE3OxyKGc+oeW6PGl8Rjk1EY0mpxQdVg2tFw9+zoALl/HNIc9TUjfq6mgP1Y3
ynrztcoNbgkbP5R8X3FOX/iumBtbO5ZLR+3FWcadIwjxDyehgXV2oowvIsDirxn7
mILt64Vreasm8v4siKVH3nFjhGR/ZDdzHZiMRSyMswoYj2Reb841eLFhjXtFTQC4
r8gjOx8dNxMyQw94B5y1xr4siKEjIrG/qmKXZX8oc1E11zQId12ilbaFDiFPpEYY
qfbFIS41OGIju+gdCs0iDAFxzG/6i4kpPN5S+MQVAgMBAAGjggFdMIIBWTAfBgNV
HSMEGDAWgBR6o0W4Z3KXKJ1Uh2oH8uZW62jQDDA9BggrBgEFBQcBAQQxMC8wLQYI
KwYBBQUHMAGGIWh0dHA6Ly9pcGEtY2EuZXhhbXBsZS5jb20vY2Evb2NzcDAOBgNV
HQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHYGA1Ud
HwRvMG0wa6AzoDGGL2h0dHA6Ly9pcGEtY2EuZXhhbXBsZS5jb20vaXBhL2NybC9N
YXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQxOZurqS/wUbEzfjVgPonJ2faf
XjAxBgNVHREEKjAoghN0ZXN0MTAyLmV4YW1wbGUuY29tghF0ZXN0Mi5leGFtcGxl
LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAh9bXHpCJGaETgncBsGmYP0w5O/59ZIgV
53LBLk7VazZBiP6e7DkvuZgFPmKZmBlWUq9lhByvKSI0l6gXRrRgsUoMX5lNlVWy
ZayObE7ozF+JIJacmdr073cKy5F5HzaprvOkeRi9tSnKJnv6bvbKNkpsOUKNr6b5
HOzvMM0AEKXEmDrj9PNaO84FEnocw2Kh/R27QQEy/oSbL9iqC0R5oaY/f5wFto7H
FfvBFNmM0e6FL7KoDlgN5/DF3BYooiMY+4x5rnitK26wkKq7oBwBh0+VTbEGwYor
FjvGuVkDmRh64IWPkPItzFW2zPyLGJd+EbMMCJXnBEZqqpkAl0g7Kg==
  Subject: CN=test102.example.com,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Mon Jan 26 17:51:53 2015 UTC
  Not After: Thu Jan 26 17:51:53 2017 UTC
  Fingerprint (MD5): 55:f7:91:be:30:ac:0d:7f:be:fa:9f:5c:80:80:0f:00
  Fingerprint (SHA1): 4c:75:c6:e7:68:28:fa:98:b5:d4:78:71:96:3e:51:48:74:a2:b1:7a
  Serial number (hex): 0xB
  Serial number: 11
-sh-4.2$ openssl x509 -in mycert.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11 (0xb)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=EXAMPLE.COM, CN=Certificate Authority
        Validity
            Not Before: Jan 26 17:51:53 2015 GMT
            Not After : Jan 26 17:51:53 2017 GMT
        Subject: O=EXAMPLE.COM, CN=test102.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cb:9e:08:ac:25:7f:9e:4b:d4:a8:4e:56:2a:f1:
                    95:bd:7a:9d:4d:10:fb:a2:b6:86:4c:a7:79:e0:de:
                    b6:aa:37:56:6d:20:96:13:13:73:b1:c8:a1:9c:fa:
                    87:96:e8:f1:a5:f1:18:e4:d4:46:34:9a:9c:50:75:
                    58:36:b4:5c:3d:fb:3a:00:2e:5f:c7:34:87:3d:4d:
                    48:df:ab:a9:a0:3f:56:37:ca:7a:f3:b5:ca:0d:6e:
                    09:1b:3f:94:7c:5f:71:4e:5f:f8:ae:98:1b:5b:3b:
                    96:4b:47:ed:c5:59:c6:9d:23:08:f1:0f:27:a1:81:
                    75:76:a2:8c:2f:22:c0:e2:af:19:fb:98:82:ed:eb:
                    85:6b:79:ab:26:f2:fe:2c:88:a5:47:de:71:63:84:
                    64:7f:64:37:73:1d:98:8c:45:2c:8c:b3:0a:18:8f:
                    64:5e:6f:ce:35:78:b1:61:8d:7b:45:4d:00:b8:af:
                    c8:23:3b:1f:1d:37:13:32:43:0f:78:07:9c:b5:c6:
                    be:2c:88:a1:23:22:b1:bf:aa:62:97:65:7f:28:73:
                    51:35:d7:34:08:77:5d:a2:95:b6:85:0e:21:4f:a4:
                    46:18:a9:f6:c5:21:2e:35:38:62:23:bb:e8:1d:0a:
                    cd:22:0c:01:71:cc:6f:fa:8b:89:29:3c:de:52:f8:
                    c4:15
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:7A:A3:45:B8:67:72:97:28:9D:54:87:6A:07:F2:E6:56:EB:68:D0:0C

            Authority Information Access: 
                OCSP - URI:http://ipa-ca.example.com/ca/ocsp

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://ipa-ca.example.com/ipa/crl/MasterCRL.bin
                CRL Issuer:
                  DirName: O = ipaca, CN = Certificate Authority

            X509v3 Subject Key Identifier: 
                31:39:9B:AB:A9:2F:F0:51:B1:33:7E:35:60:3E:89:C9:D9:F6:9F:5E
            X509v3 Subject Alternative Name: 
                DNS:test102.example.com, DNS:test2.example.com
    Signature Algorithm: sha256WithRSAEncryption
         87:d6:d7:1e:90:89:19:a1:13:82:77:01:b0:69:98:3f:4c:39:
         3b:fe:7d:64:88:15:e7:72:c1:2e:4e:d5:6b:36:41:88:fe:9e:
         ec:39:2f:b9:98:05:3e:62:99:98:19:56:52:af:65:84:1c:af:
         29:22:34:97:a8:17:46:b4:60:b1:4a:0c:5f:99:4d:95:55:b2:
         65:ac:8e:6c:4e:e8:cc:5f:89:20:96:9c:99:da:f4:ef:77:0a:
         cb:91:79:1f:36:a9:ae:f3:a4:79:18:bd:b5:29:ca:26:7b:fa:
         6e:f6:ca:36:4a:6c:39:42:8d:af:a6:f9:1c:ec:ef:30:cd:00:
         10:a5:c4:98:3a:e3:f4:f3:5a:3b:ce:05:12:7a:1c:c3:62:a1:
         fd:1d:bb:41:01:32:fe:84:9b:2f:d8:aa:0b:44:79:a1:a6:3f:
         7f:9c:05:b6:8e:c7:15:fb:c1:14:d9:8c:d1:ee:85:2f:b2:a8:
         0e:58:0d:e7:f0:c5:dc:16:28:a2:23:18:fb:8c:79:ae:78:ad:
         2b:6e:b0:90:aa:bb:a0:1c:01:87:4f:95:4d:b1:06:c1:8a:2b:
         16:3b:c6:b9:59:03:99:18:7a:e0:85:8f:90:f2:2d:cc:55:b6:
         cc:fc:8b:18:97:7e:11:b3:0c:08:95:e7:04:46:6a:aa:99:00:
         97:48:3b:2a
-----BEGIN CERTIFICATE-----
MIIERDCCAyygAwIBAgIBCzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtFWEFN
UExFLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE1MDEy
NjE3NTE1M1oXDTE3MDEyNjE3NTE1M1owNDEUMBIGA1UECgwLRVhBTVBMRS5DT00x
HDAaBgNVBAMME3Rlc3QxMDIuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDLngisJX+eS9SoTlYq8ZW9ep1NEPuitoZMp3ng3raqN1Zt
IJYTE3OxyKGc+oeW6PGl8Rjk1EY0mpxQdVg2tFw9+zoALl/HNIc9TUjfq6mgP1Y3
ynrztcoNbgkbP5R8X3FOX/iumBtbO5ZLR+3FWcadIwjxDyehgXV2oowvIsDirxn7
mILt64Vreasm8v4siKVH3nFjhGR/ZDdzHZiMRSyMswoYj2Reb841eLFhjXtFTQC4
r8gjOx8dNxMyQw94B5y1xr4siKEjIrG/qmKXZX8oc1E11zQId12ilbaFDiFPpEYY
qfbFIS41OGIju+gdCs0iDAFxzG/6i4kpPN5S+MQVAgMBAAGjggFdMIIBWTAfBgNV
HSMEGDAWgBR6o0W4Z3KXKJ1Uh2oH8uZW62jQDDA9BggrBgEFBQcBAQQxMC8wLQYI
KwYBBQUHMAGGIWh0dHA6Ly9pcGEtY2EuZXhhbXBsZS5jb20vY2Evb2NzcDAOBgNV
HQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHYGA1Ud
HwRvMG0wa6AzoDGGL2h0dHA6Ly9pcGEtY2EuZXhhbXBsZS5jb20vaXBhL2NybC9N
YXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQxOZurqS/wUbEzfjVgPonJ2faf
XjAxBgNVHREEKjAoghN0ZXN0MTAyLmV4YW1wbGUuY29tghF0ZXN0Mi5leGFtcGxl
LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAh9bXHpCJGaETgncBsGmYP0w5O/59ZIgV
53LBLk7VazZBiP6e7DkvuZgFPmKZmBlWUq9lhByvKSI0l6gXRrRgsUoMX5lNlVWy
ZayObE7ozF+JIJacmdr073cKy5F5HzaprvOkeRi9tSnKJnv6bvbKNkpsOUKNr6b5
HOzvMM0AEKXEmDrj9PNaO84FEnocw2Kh/R27QQEy/oSbL9iqC0R5oaY/f5wFto7H
FfvBFNmM0e6FL7KoDlgN5/DF3BYooiMY+4x5rnitK26wkKq7oBwBh0+VTbEGwYor
FjvGuVkDmRh64IWPkPItzFW2zPyLGJd+EbMMCJXnBEZqqpkAl0g7Kg==
-----END CERTIFICATE-----

Comment 10 errata-xmlrpc 2015-03-05 10:12:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.