Red Hat Bugzilla – Bug 1129558
Windows Server 2012 CA does not accept CSR generated by IdM External CA installation
Last modified: 2015-03-05 05:13:13 EST
+++ This bug was initially created as a clone of Bug #790924 +++ Description of problem: When pkisilent is run with the "-external" flag there are no X.509 v3 extensions added to the certificate signing request (CSR) to signify to the certificate authority (CA) that the request is for a subordinate CA. This situation manifests in conditions where the CA is not a Red Hat Certificate Server. Version-Release number of selected component (if applicable): [root@opskzld31 log]# rpm -qif `which pkisilent` Name : pki-silent Relocations: (not relocatable) Version : 9.0.3 Vendor: Red Hat, Inc. Release : 20.el6 Build Date: Mon 03 Oct 2011 08:08:55 PM EDT Install Date: Mon 30 Jan 2012 12:34:19 PM EST Build Host: x86-002.build.bos.redhat.com Group : System Environment/Base Source RPM: pki-core-9.0.3-20.el6.src.rpm Size : 339099 License: GPLv2 Signature : RSA/8, Mon 07 Nov 2011 10:17:28 AM EST, Key ID 199e2f91fd431d51 Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://pki.fedoraproject.org/ Summary : Certificate System - Silent Installer How reproducible: Steps to Reproduce: 1. Run pkisilent with the -external and -external_csr flags 2. ... 3. (no) Profit Actual results: [root@opskzld31 ssl_test]# cat dogtag.csr -----BEGIN CERTIFICATE REQUEST----- MIIC0jCCAboCAQAwfjELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s aW5hMRAwDgYDVQQHEwdSYWxlaWdoMRUwEwYDVQQKEwxSZWQgSGF0LCBJbmMxLTAr BgNVBAMTJERvZ3RhZyBTdWJvcmRpbmF0ZSBTaWduaW5nIEF1dGhvcml0eTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKSQZD1pB3nVMKEmhtflfplj6xW6 aR5ulle+oWprk8n22RaWX3qsxPo1cgaYXutJ9Zm2ZyOFdR9bE6lt5kyinDcWyiCL xbnKhe6h/jTv7Y88lV3H/sY4qGBtmGssREJLVzH0QhGbq1Sm4rc3drRDZZj34lMv pLoQO30YZqo/aV7H5CnszdVVPD5XAfF+2ui91Wq/C7bVNtyrqpcS17e+nbELhFkn TqcISZsHnMVCeX1IAeMcN+cvAe6secwPkPI1xfOUJ1dAUQErcEwipDOaMRXVkkKf I1ARz/EaHHQSLp/fguGwEVV6RBNU9rYNyZ6BGqpjexCEdeF4qWMoPWIByt8CAwEA AaAPMA0GCSqGSIb3DQEJDjEAMA0GCSqGSIb3DQEBBQUAA4IBAQCUkV9hFQMsJzYk 9lq4Js4KsPTwYAWNTAPCzlaA77RO7coHN06xh8gkXC+MqSA5uiBqKh9BYQ9XL2h5 Q4JxI0SqUK5k/jtZjoha0Ve6mMssovxo0r36YUZP0gK8SOaB04uqfmw58OquhVUV ANk4mdyFCyHY03yttmapA3/dGZRfZ+YdEQ9G7or2Hb3+8DJp0V8orni1nQByvzus IZEYW72zLI1PgOdaP8AXA3OZq01NrUwkXyPH/IWJg3Be7KV/q4CYNxi2OlhFSfqI B7JOMfe7oZUc7IRCFIQ/4dt36Rz6IDuKJ/dLuPQe34/JVTeqnPpdF18JRqzrvk7i 2NHJJPFI -----END CERTIFICATE REQUEST----- [root@opskzld31 ssl_test]# openssl req -in dogtag.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc, CN=Dogtag Subordinate Signing Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a4:90:64:3d:69:07:79:d5:30:a1:26:86:d7:e5: 7e:99:63:eb:15:ba:69:1e:6e:96:57:be:a1:6a:6b: 93:c9:f6:d9:16:96:5f:7a:ac:c4:fa:35:72:06:98: 5e:eb:49:f5:99:b6:67:23:85:75:1f:5b:13:a9:6d: e6:4c:a2:9c:37:16:ca:20:8b:c5:b9:ca:85:ee:a1: fe:34:ef:ed:8f:3c:95:5d:c7:fe:c6:38:a8:60:6d: 98:6b:2c:44:42:4b:57:31:f4:42:11:9b:ab:54:a6: e2:b7:37:76:b4:43:65:98:f7:e2:53:2f:a4:ba:10: 3b:7d:18:66:aa:3f:69:5e:c7:e4:29:ec:cd:d5:55: 3c:3e:57:01:f1:7e:da:e8:bd:d5:6a:bf:0b:b6:d5: 36:dc:ab:aa:97:12:d7:b7:be:9d:b1:0b:84:59:27: 4e:a7:08:49:9b:07:9c:c5:42:79:7d:48:01:e3:1c: 37:e7:2f:01:ee:ac:79:cc:0f:90:f2:35:c5:f3:94: 27:57:40:51:01:2b:70:4c:22:a4:33:9a:31:15:d5: 92:42:9f:23:50:11:cf:f1:1a:1c:74:12:2e:9f:df: 82:e1:b0:11:55:7a:44:13:54:f6:b6:0d:c9:9e:81: 1a:aa:63:7b:10:84:75:e1:78:a9:63:28:3d:62:01: ca:df Exponent: 65537 (0x10001) Attributes: Signature Algorithm: sha1WithRSAEncryption 94:91:5f:61:15:03:2c:27:36:24:f6:5a:b8:26:ce:0a:b0:f4: f0:60:05:8d:4c:03:c2:ce:56:80:ef:b4:4e:ed:ca:07:37:4e: b1:87:c8:24:5c:2f:8c:a9:20:39:ba:20:6a:2a:1f:41:61:0f: 57:2f:68:79:43:82:71:23:44:aa:50:ae:64:fe:3b:59:8e:88: 5a:d1:57:ba:98:cb:2c:a2:fc:68:d2:bd:fa:61:46:4f:d2:02: bc:48:e6:81:d3:8b:aa:7e:6c:39:f0:ea:ae:85:55:15:00:d9: 38:99:dc:85:0b:21:d8:d3:7c:ad:b6:66:a9:03:7f:dd:19:94: 5f:67:e6:1d:11:0f:46:ee:8a:f6:1d:bd:fe:f0:32:69:d1:5f: 28:ae:78:b5:9d:00:72:bf:3b:ac:21:91:18:5b:bd:b3:2c:8d: 4f:80:e7:5a:3f:c0:17:03:73:99:ab:4d:4d:ad:4c:24:5f:23: c7:fc:85:89:83:70:5e:ec:a5:7f:ab:80:98:37:18:b6:3a:58: 45:49:fa:88:07:b2:4e:31:f7:bb:a1:95:1c:ec:84:42:14:84: 3f:e1:db:77:e9:1c:fa:20:3b:8a:27:f7:4b:b8:f4:1e:df:8f: c9:55:37:aa:9c:fa:5d:17:5f:09:46:ac:eb:be:4e:e2:d8:d1: c9:24:f1:48 Expected results: [root@opskzld31 ssl_test]# cat dogtag.csr -----BEGIN CERTIFICATE REQUEST----- MIIDAjCCAeoCAQAwfjELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s aW5hMRAwDgYDVQQHEwdSYWxlaWdoMRUwEwYDVQQKEwxSZWQgSGF0LCBJbmMxLTAr BgNVBAMTJERvZ3RhZyBTdWJvcmRpbmF0ZSBTaWduaW5nIEF1dGhvcml0eTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKSQZD1pB3nVMKEmhtflfplj6xW6 aR5ulle+oWprk8n22RaWX3qsxPo1cgaYXutJ9Zm2ZyOFdR9bE6lt5kyinDcWyiCL xbnKhe6h/jTv7Y88lV3H/sY4qGBtmGssREJLVzH0QhGbq1Sm4rc3drRDZZj34lMv pLoQO30YZqo/aV7H5CnszdVVPD5XAfF+2ui91Wq/C7bVNtyrqpcS17e+nbELhFkn TqcISZsHnMVCeX1IAeMcN+cvAe6secwPkPI1xfOUJ1dAUQErcEwipDOaMRXVkkKf I1ARz/EaHHQSLp/fguGwEVV6RBNU9rYNyZ6BGqpjexCEdeF4qWMoPWIByt8CAwEA AaA/MD0GCSqGSIb3DQEJDjEwMC4wDAYDVR0TBAUwAwEB/zARBglghkgBhvhCAQEE BAMCAgQwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQB2uliTrHYQkjeb HVKWg6n5TyyosweFC/QTTis7m7SmlCVMQri63Yp3vXYU2dQ0veAglcECxANVAqZu 9fsrRcvB+NEBrVycEA/VZd1gZ3y/Bw/ByJsk7CIlRdtRivuupDVF1dILjff+vMz8 qVh5Z15d6ff3m6p3IqTBxJjeUNmqRFkLMEJJmDqkM4R5adMU+rCI4V9ILwlO2g0s tgWMaMFe82GET+TwW+I+NMRWO67S+slJzOP04hDVK0iSC93MbooFPoOArhrQVwmX zYZY+llnbYdaILHDNt3P/WWMgAiTmlEksaJbL8UCTRQRP881IpguqJZDP1O5uVhU OjNA13M+ -----END CERTIFICATE REQUEST----- [root@opskzld31 ssl_test]# openssl req -in dogtag.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc, CN=Dogtag Subordinate Signing Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a4:90:64:3d:69:07:79:d5:30:a1:26:86:d7:e5: 7e:99:63:eb:15:ba:69:1e:6e:96:57:be:a1:6a:6b: 93:c9:f6:d9:16:96:5f:7a:ac:c4:fa:35:72:06:98: 5e:eb:49:f5:99:b6:67:23:85:75:1f:5b:13:a9:6d: e6:4c:a2:9c:37:16:ca:20:8b:c5:b9:ca:85:ee:a1: fe:34:ef:ed:8f:3c:95:5d:c7:fe:c6:38:a8:60:6d: 98:6b:2c:44:42:4b:57:31:f4:42:11:9b:ab:54:a6: e2:b7:37:76:b4:43:65:98:f7:e2:53:2f:a4:ba:10: 3b:7d:18:66:aa:3f:69:5e:c7:e4:29:ec:cd:d5:55: 3c:3e:57:01:f1:7e:da:e8:bd:d5:6a:bf:0b:b6:d5: 36:dc:ab:aa:97:12:d7:b7:be:9d:b1:0b:84:59:27: 4e:a7:08:49:9b:07:9c:c5:42:79:7d:48:01:e3:1c: 37:e7:2f:01:ee:ac:79:cc:0f:90:f2:35:c5:f3:94: 27:57:40:51:01:2b:70:4c:22:a4:33:9a:31:15:d5: 92:42:9f:23:50:11:cf:f1:1a:1c:74:12:2e:9f:df: 82:e1:b0:11:55:7a:44:13:54:f6:b6:0d:c9:9e:81: 1a:aa:63:7b:10:84:75:e1:78:a9:63:28:3d:62:01: ca:df Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:TRUE Netscape Cert Type: SSL CA X509v3 Key Usage: Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption 76:ba:58:93:ac:76:10:92:37:9b:1d:52:96:83:a9:f9:4f:2c: a8:b3:07:85:0b:f4:13:4e:2b:3b:9b:b4:a6:94:25:4c:42:b8: ba:dd:8a:77:bd:76:14:d9:d4:34:bd:e0:20:95:c1:02:c4:03: 55:02:a6:6e:f5:fb:2b:45:cb:c1:f8:d1:01:ad:5c:9c:10:0f: d5:65:dd:60:67:7c:bf:07:0f:c1:c8:9b:24:ec:22:25:45:db: 51:8a:fb:ae:a4:35:45:d5:d2:0b:8d:f7:fe:bc:cc:fc:a9:58: 79:67:5e:5d:e9:f7:f7:9b:aa:77:22:a4:c1:c4:98:de:50:d9: aa:44:59:0b:30:42:49:98:3a:a4:33:84:79:69:d3:14:fa:b0: 88:e1:5f:48:2f:09:4e:da:0d:2c:b6:05:8c:68:c1:5e:f3:61: 84:4f:e4:f0:5b:e2:3e:34:c4:56:3b:ae:d2:fa:c9:49:cc:e3: f4:e2:10:d5:2b:48:92:0b:dd:cc:6e:8a:05:3e:83:80:ae:1a: d0:57:09:97:cd:86:58:fa:59:67:6d:87:5a:20:b1:c3:36:dd: cf:fd:65:8c:80:08:93:9a:51:24:b1:a2:5b:2f:c5:02:4d:14: 11:3f:cf:35:22:98:2e:a8:96:43:3f:53:b9:b9:58:54:3a:33: 40:d7:73:3e Additional info: ... --- Additional comment from Martin Kosek on 2014-07-29 07:57:46 EDT --- I did a quick test with ipa-server-3.3.3-28.el7.x86_64 pki-ca-10.0.5-3.el7.noarch and generated a IPA with CSR request: # ipa-server-install --external-ca ... [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/6]: creating certificate server user [2/6]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install as: ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate # openssl req -in /root/ipa.csr -text Certificate Request: Data: Version: 0 (0x0) Subject: O=IDM.LAB.BOS.REDHAT.COM, CN=Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:9e:51:15:d4:44:3c:b0:ef:87:fc:fa:09:a7:a8: db:4c:01:5e:1f:b1:32:86:99:ca:c8:d3:ae:e0:65: d3:c2:58:64:67:5c:99:1b:df:92:1f:f9:e3:13:cc: b7:54:a4:b7:95:98:f6:b0:7b:40:c2:9f:79:22:7b: bb:67:3e:d2:f4:82:0b:8a:2d:10:f1:ba:20:63:8f: ce:5b:3f:0b:00:b7:2c:47:e6:98:64:9f:df:42:af: ff:de:ec:69:14:fa:76:77:be:fa:26:6f:82:55:9a: 61:f5:04:f2:c0:7a:27:d2:83:d1:e6:9e:a8:55:1e: 9e:b3:a6:a4:f3:c4:73:35:62:fc:8e:e5:bd:81:fc: 7c:50:36:7c:de:c7:d5:74:36:85:e3:05:8e:e8:e5: a2:c7:11:89:c7:fe:56:38:57:10:dd:31:cc:7b:6c: 21:24:50:fe:f6:8b:4a:14:6c:d0:f6:f5:09:e7:33: 39:13:27:7e:d2:35:d3:97:f5:62:f1:84:33:17:3f: 95:99:27:9b:c5:a0:59:0f:ba:ae:c0:4e:18:87:0d: e3:a8:0b:3d:be:31:f8:25:2b:67:e9:59:b8:6f:50: d5:f2:72:68:16:41:af:10:a9:5a:17:d3:df:1f:33: b5:df:e2:0c:7d:e4:c0:f9:39:73:47:0b:d9:b4:0f: 8c:6b Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 06:c9:c8:ff:37:4b:75:d3:5d:4e:56:c7:fa:22:7d:6d:f1:fd: 64:96:0d:90:28:c9:4d:77:cc:ec:54:69:23:07:49:34:e4:e2: 15:10:8a:ac:f5:12:4f:65:d9:82:e1:96:74:c7:45:0b:e4:09: db:d0:c9:03:57:6c:51:7b:65:ac:2f:06:13:f0:20:bc:a4:41: 9b:8f:1b:e8:e3:26:5b:da:43:31:c2:41:93:da:c2:8b:a2:c6: 3e:8c:66:a3:a1:94:f5:0a:27:96:c2:11:89:cb:a9:64:0f:09: ab:44:c9:7a:44:18:94:3f:29:5a:78:c4:e1:e4:df:e0:70:7f: 52:be:1b:f3:e7:73:d9:f9:4d:16:38:6c:85:43:a1:74:05:d6: eb:eb:a4:93:12:b6:10:98:81:31:97:f5:03:9d:b7:f3:7c:e6: 18:9e:1c:5d:c0:94:bd:27:0d:0f:a2:f5:24:a5:74:c7:13:45: 5d:36:b4:a3:e8:2f:a5:8a:5f:1e:30:62:33:71:65:49:4e:6f: ce:3c:f2:d0:3e:88:e2:d1:d6:fc:b8:d0:9b:94:8b:47:63:43: cd:0b:49:f9:ff:06:c6:80:67:81:9c:89:b1:47:a5:c1:95:38: ec:70:0b:7b:13:26:99:27:a7:97:5a:64:d3:d0:6d:63:f5:41: 82:7f:c5:f5 -----BEGIN CERTIFICATE REQUEST----- MIIChjCCAW4CAQAwQTEfMB0GA1UEChMWSURNLkxBQi5CT1MuUkVESEFULkNPTTEe MBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAnlEV1EQ8sO+H/PoJp6jbTAFeH7EyhpnKyNOu4GXTwlhk Z1yZG9+SH/njE8y3VKS3lZj2sHtAwp95Inu7Zz7S9IILii0Q8bogY4/OWz8LALcs R+aYZJ/fQq//3uxpFPp2d776Jm+CVZph9QTywHon0oPR5p6oVR6es6ak88RzNWL8 juW9gfx8UDZ83sfVdDaF4wWO6OWixxGJx/5WOFcQ3THMe2whJFD+9otKFGzQ9vUJ 5zM5Eyd+0jXTl/Vi8YQzFz+VmSebxaBZD7quwE4Yhw3jqAs9vjH4JStn6Vm4b1DV 8nJoFkGvEKlaF9PfHzO13+IMfeTA+TlzRwvZtA+MawIDAQABoAAwDQYJKoZIhvcN AQELBQADggEBAAbJyP83S3XTXU5Wx/oifW3x/WSWDZAoyU13zOxUaSMHSTTk4hUQ iqz1Ek9l2YLhlnTHRQvkCdvQyQNXbFF7ZawvBhPwILykQZuPG+jjJlvaQzHCQZPa wouixj6MZqOhlPUKJ5bCEYnLqWQPCatEyXpEGJQ/KVp4xOHk3+Bwf1K+G/Pnc9n5 TRY4bIVDoXQF1uvrpJMSthCYgTGX9QOdt/N85hieHF3AlL0nDQ+i9SSldMcTRV02 tKPoL6WKXx4wYjNxZUlOb8488tA+iOLR1vy40JuUi0djQ80LSfn/BsaAZ4GcibFH pcGVOOxwC3sTJpknp5daZNPQbWP1QYJ/xfU= -----END CERTIFICATE REQUEST----- and found that the resulting CSR is indeed not digestable by Windows 2012 Server CA. I will attach a screenshot with exact error message. ... --- Additional comment from Christina Fu on 2014-07-29 12:46:48 EDT --- The idea that I shared with atolani was the following (Note: I don't know where IPA places things so it's more of an idea than exact steps): To do "external CA", the tool has to be run twice, as I understand. The first time is to generate the CSR, and the 2nd time is to install the cert after submitting the CSR to the CA. The idea is that the CSR could be replaced at that time in between the two runs of the tool. You regenerate the CSR with whatever tool that suits you. During that time, you want to also swap in the keys. Once you have swapped in the keys to the proper location (where the keys are was something atolani was to find out), and the CSR, submit the proper CSR to the external CA and you can continue from there. atolani, I suggest you put in the detailed steps after your experiment if you get it to work. Incidentally, I was thinking about how useful it would be if one could just reuse existing keypair to generate a new CSR with different extensions. If no such tool exists, we can possibly consider that for the future. I think the fix for the issue at hand is probably not just to add BasicConstraint extension to a subordinate CA. Rather, we should consider allowing one to craft the CSR in finer details. Of course when the "external CA" is our own Dogtag CA then such issue does not exist because we have enrollment profiles to serve the purpose on the server end. --- Additional comment from Martin Kosek on 2014-07-30 02:51:49 EDT --- Thanks Christina. JFTR, this is indeed a 2 step installation. First, ipa-server-install is run with --external-ca, when CSR is signed, it is run again with --external_cert_file and --external_ca_file options. See https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-ca-options.html#install-ca-external for details. IPA in RHEL-7.0 generates the CSR in /root/ipa.csr. PKI is installed in /var/lib/pki/pki-tomcat/. I am not sure where the key is though. /var/lib/pki/pki-tomcat/ca/alias/ contains just the "Server-Cert cert-pki-ca".
This Bugzilla is to make sure that IdM is capable of easy enrolling as subCA to MS CA 2012 service. It depends on change in PKI to generate proper CSR.
== Workaround == When testing a fix for Bug 1111320 I managed to enroll IPA as a subCA to Microsoft Windows Server 2012 CA. I just must not request the certificate via Web UI (by passing ipa.csr generated by --external-ca installation), but I had to request it via command line: certreq.exe -submit -attrib "CertificateTemplate:SubCA" ipa.csr mkad2012-ipa-ca With the patch for 1111320, the IPA installation succeed. See Bug 1111320, Comment 27 for details.
I prepared a chapter on FreeIPA upstream wiki with the workaround mentioned in Comment 3 to spread the information further: http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4496
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4489
*** Bug 1129561 has been marked as a duplicate of this bug. ***
This should be done in the same release as our external CA chaining tool RFE tracked in Bug 886645.
Usability fixes in upstream CA related installation options: master: https://fedorahosted.org/freeipa/changeset/60ecba77cd98f37be0d2c0f69efd307a687e59dc https://fedorahosted.org/freeipa/changeset/3aa0731fc660ea3d111a44926ab5dea71dc510e7 https://fedorahosted.org/freeipa/changeset/88083887c994ab505d6e07151e5dd26b56bb7732 https://fedorahosted.org/freeipa/changeset/3cde7e9cfd7908b24082e3e50cdd0955726223d0 https://fedorahosted.org/freeipa/changeset/83cbfa8eaee6b2b84eb9fe9e514a339780df81b5 ipa-4-1: https://fedorahosted.org/freeipa/changeset/b93bdb7b3ef0f9229b1bb2f5e4db1c4efc1616ea https://fedorahosted.org/freeipa/changeset/6136a3eb5d943792853359047770b0d85568d4fd https://fedorahosted.org/freeipa/changeset/a29ee452c4c1b776521869f87433605dc9dd8e77 https://fedorahosted.org/freeipa/changeset/01623f70d85065d48433d26e4d42c885a49989e8 https://fedorahosted.org/freeipa/changeset/0c4d7dabf3e3642451ecaac7837f08011ac772dd
== WORKAROUND 2 == When quickly checking the Bug 1151147 that Jan filed, I found a workaround on AD site how to force AD to issue certificates with UTF-8 encoding of certificate commonName field. You would need to follow section "Enforce UTF8 encoding" http://support.microsoft.com/kb/888180 and type following commands (tested on my Windows Server 2012): certutil -setreg ca\forceteletex +0x20 net stop certsvc net start cersvc
FreeIPA command line support is fixed upstream, we are just waiting what will be the next steps with Bug 1151147. master: * 4cdeacdedfe344e570da99548043a07a6fa24dbe Support MS CS as the external CA in ipa-server-install and ipa-ca-install ipa-4-1: * fdf46ac1c330e70893d6d13f1be24ee5063d27c6 Support MS CS as the external CA in ipa-server-install and ipa-ca-install To install FreeIPA with MS external CA, use command line switch --external-ca-type=ms-cs
Bumping pki-ca Requires was delayed to upstream ticket https://fedorahosted.org/freeipa/ticket/4645 We should not stall this feature, there exists an workaround + PKI bug is filed and acknowledged.
Require pki-core-10.1.2-4.el7 now that bug 1151147 was fixed.
Verified. Version :: Results :: [root@vm1 mscs]# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r EXAMPLE.TEST -a Secret123 -p Secret123 --external-ca -U The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) Warning: skipping DNS resolution of host vm1.example.test The domain name has been determined based on the host name. Adding [192.168.122.201 vm1.example.test] to your /etc/hosts file Checking forwarders, please wait ... WARNING: DNS forwarder 192.168.122.1 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive "dnssec-enable yes;" to "options {}") WARNING: DNSSEC validation will be disabled Using reverse zone(s) 122.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: vm1.example.test IP address(es): 192.168.122.201 Domain name: example.test Realm name: EXAMPLE.TEST BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.122.1 Reverse zone(s): 122.168.192.in-addr.arpa. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/38]: creating directory server user [2/38]: creating directory server instance [3/38]: adding default schema [4/38]: enabling memberof plugin [5/38]: enabling winsync plugin [6/38]: configuring replication version plugin [7/38]: enabling IPA enrollment plugin [8/38]: enabling ldapi [9/38]: configuring uniqueness plugin [10/38]: configuring uuid plugin [11/38]: configuring modrdn plugin [12/38]: configuring DNS plugin [13/38]: enabling entryUSN plugin [14/38]: configuring lockout plugin [15/38]: creating indices [16/38]: enabling referential integrity plugin [17/38]: configuring certmap.conf [18/38]: configure autobind for root [19/38]: configure new location for managed entries [20/38]: configure dirsrv ccache [21/38]: enable SASL mapping fallback [22/38]: restarting directory server [23/38]: adding default layout [24/38]: adding delegation layout [25/38]: creating container for managed entries [26/38]: configuring user private groups [27/38]: configuring netgroups from hostgroups [28/38]: creating default Sudo bind user [29/38]: creating default Auto Member layout [30/38]: adding range check plugin [31/38]: creating default HBAC rule allow_all [32/38]: initializing group membership [33/38]: adding master entry [34/38]: configuring Posix uid/gid generation [35/38]: adding replication acis [36/38]: enabling compatibility plugin [37/38]: tuning directory server [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/8]: creating certificate server user [2/8]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as: /usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate Here I copied ipa.csr to Windows Server 2012 ADCS server and signed it and copied signed cert and the AD CA cert chain back to complete the setup. It should be noted that I used the web enrollment interface for this. [root@vm1 ~]# ls adca_chain.p7b ca-agent.p12 certnew.cer ipa_qe_certs.py tw.py anaconda-ks.cfg cacert.p12 ipa.csr mscs [root@vm1 ~]# openssl pkcs7 -print_certs -in adca_chain.p7b -inform DER -out adca_chain.pem [root@vm1 ~]# ipa-server-install --setup-dns --forwarder=192.168.122.1 -r EXAMPLE.TEST -a Secret123 -p Secret123 -U --external-cert-file=/root/certnew.cer --external-cert-file=/root/adca_chain.pem The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the IPA Server. This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the Network Time Daemon (ntpd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) Warning: skipping DNS resolution of host vm1.example.test Checking forwarders, please wait ... WARNING: DNS forwarder 192.168.122.1 does not return DNSSEC signatures in answers Please fix forwarder configuration to enable DNSSEC support. (For BIND 9 add directive "dnssec-enable yes;" to "options {}") Using reverse zone(s) 122.168.192.in-addr.arpa. The IPA Master Server will be configured with: Hostname: vm1.example.test IP address(es): 192.168.122.201 Domain name: example.test Realm name: EXAMPLE.TEST BIND DNS server will be configured to serve IPA domain with: Forwarders: 192.168.122.1 Reverse zone(s): 122.168.192.in-addr.arpa. Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance [9/27]: creating RA agent certificate database [10/27]: importing CA chain to RA certificate database [11/27]: fixing RA database permissions [12/27]: setting up signing cert profile [13/27]: set certificate subject base [14/27]: enabling Subject Key Identifier [15/27]: enabling Subject Alternative Name [16/27]: enabling CRL and OCSP extensions for certificates [17/27]: setting audit signing renewal to 2 years [18/27]: configuring certificate server to start on boot [19/27]: restarting certificate server [20/27]: requesting RA certificate from CA [21/27]: issuing RA agent certificate [22/27]: adding RA agent as a trusted user [23/27]: configure certmonger for renewals [24/27]: configure certificate renewals [25/27]: configure RA certificate renewal [26/27]: configure Server-Cert certificate renewal [27/27]: Configure HTTP to proxy connections Done configuring certificate server (pki-tomcatd). Configuring directory server (dirsrv): Estimated time 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory [7/10]: creating a keytab for the machine [8/10]: adding the password extension to the directory [9/10]: starting the KDC [10/10]: configuring KDC to start on boot Done configuring Kerberos KDC (krb5kdc). Configuring kadmin [1/2]: starting kadmin [2/2]: configuring kadmin to start on boot Done configuring kadmin. Configuring ipa_memcached [1/2]: starting ipa_memcached [2/2]: configuring ipa_memcached to start on boot Done configuring ipa_memcached. Configuring ipa-otpd [1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring the web interface (httpd): Estimated time 1 minute [1/16]: setting mod_nss port to 443 [2/16]: setting mod_nss protocol list to TLSv1.0 - TLSv1.1 [3/16]: setting mod_nss password file [4/16]: enabling mod_nss renegotiate [5/16]: adding URL rewriting rules [6/16]: configuring httpd [7/16]: configure certmonger for renewals [8/16]: setting up ssl [9/16]: importing CA certificates from LDAP [10/16]: setting up browser autoconfig [11/16]: publish CA cert [12/16]: creating a keytab for httpd [13/16]: clean up any existing httpd ccache [14/16]: configuring SELinux for httpd [15/16]: restarting httpd [16/16]: configuring httpd to start on boot Done configuring the web interface (httpd). Applying LDAP updates Restarting Directory server to apply updates [1/2]: stopping directory server [2/2]: starting directory server Done. Restarting the directory server Restarting the KDC Restarting the certificate server Configuring DNS (named) [1/12]: generating rndc key file [2/12]: adding DNS container [3/12]: setting up our zone [4/12]: setting up reverse zone [5/12]: setting up our own record [6/12]: setting up records for other masters [7/12]: adding NS record to the zones [8/12]: setting up CA record [9/12]: setting up kerberos principal [10/12]: setting up named.conf [11/12]: configuring named to start on boot [12/12]: changing resolv.conf to point to ourselves Done configuring DNS (named). Restarting named Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server ============================================================================== Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html