Bug 1169591 – RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1169591 - RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible

Summary:	RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	7.1
Hardware:	Unspecified Unspecified

Priority	medium Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Jan Cholasta
QA Contact:	Namita Soman
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	1168850
	Show dependency tree / graph

Reported:	2014-12-01 22:21 EST by Scott Poore
Modified:	2015-03-05 05:18 EST (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	ipa-4.1.0-12.el7
Doc Type:	Bug Fix
Doc Text:	The following known issue description has been removed from the RHEL 7.1 Beta Release Notes: Microsoft Certificate Services do not always keep the Subject Name binary encoding as defined in the Certificate Request. When IPA CA certificate signed by an external CA is being renewed using the ipa-cacert-manage command, the subject name of the certificate issued by the Microsoft Certificate Services does not always match the subject name of the originating certificate signing the request on binary level. To work around this problem, when renewing the IPA CA certificate signed by an external CA using ipa-cacert-manage, make sure the subject name of the certificate issued by the external CA matches the subject name of the originating certificate signing request on binary level. This is especially important for Microsoft Certificate Services, which by default uses the PrintableString encoding in subject names of certificates it issues, despite the encoding used in subject name of certificate signing requests. However, uses the UTF8String encoding by default. See http://support.microsoft.com/kb/888180 for instructions on how to configure MS CS to use UTF8String encoding in subject names.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-03-05 05:18:39 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 09:50:39 EST

Groups: None (edit)

Description Scott Poore 2014-12-01 22:21:31 EST

Description of problem:

I'm trying to renew a CA Cert and change from self signed to external CA signed using MS ADCS.

[root@rhel7-2 ~]# ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful

[root@rhel7-2 ~]# cd /root/certs

[root@rhel7-2 certs]# ls
adcs2_chain.p7b  ca.cer

[root@rhel7-2 certs]# openssl pkcs7 -print_certs -in /root/certs/adcs2_chain.p7b -inform DER -out /root/certs/adcs2_chain.pem

[root@rhel7-2 certs]# ipa-cacert-manage renew --external-cert-file=/root/certs/adcs2_chain.pem --external-cert-file=/root/certs/ca.cer -p Secret123
Importing the renewed CA certificate, please wait
Not compatible with the current CA certificate: %s
Command ''/usr/bin/certutil' '-d' '/tmp/tmpAYIjfk' '-A' '-n' 'IPA CA' '-t' 'C,,'' returned non-zero exit status 255


Version-Release number of selected component (if applicable):

ipa-server-4.1.0-10.el7.x86_64
certmonger-0.75.14-2.el7.x86_64
nss-tools-3.16.2.3-2.el7.x86_64


How reproducible:
unknown

Steps to Reproduce:
1.  Install IPA server
2.  ipa-cacert-manage renew --external-ca
3.  copy CSR to windows ADCS server
4.  sign cert
5.  copy cert and ADCS CA cert chain to IPA server
6.  convert ADCS CA cert chain from p7b to DER pem
    openssl pkcs7 -print_certs -in <p7b_file> -inform DER -out <pem_file>
7.  ipa-cacert-manage renew --external-cert-file=<pem_file> --external-cert-file=<cacert> -p <password>

Actual results:
fails like above

Expected results:
no fail

Additional info:

Comment 2 Jan Cholasta 2014-12-02 06:54:52 EST

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4781

Comment 5 Scott Poore 2014-12-04 10:18:47 EST

Per Honza and Martin's suggestion:

https://bugzilla.redhat.com/show_bug.cgi?id=1129558#c11

I had to use that workaround to force UTF-8 encoding on ADCS side.

I was then able to use the signed cert.

Comment 8 Jan Cholasta 2014-12-10 12:11:06 EST

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f7f3c83748b3b5d5d968cc3c72145f3c5f23cd8b
https://fedorahosted.org/freeipa/changeset/8f9c5988e2f370cef66a4cd7cf3d363f061a439c
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/731035e526441b93b69fb20c6a6c990cdcdc4899
https://fedorahosted.org/freeipa/changeset/3cb2f5e841f5bac6a8cc02bc9467846b35f7aab8

Comment 10 Scott Poore 2014-12-19 11:53:54 EST

Verified.

Version ::

ipa-server-4.1.0-13.el7.x86_64

Results ::

# Just showing here that this is self-signed:

[root@vm1 ~]# getcert list -i 20141219162921
Number of certificates and requests being tracked: 8.
Request ID '20141219162921':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='572794088956'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.TEST
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2034-12-19 16:28:38 UTC
	key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

# Now, try to renew without workaround on AD CS:

[root@vm1 ~]# ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful

[root@vm1 ~]# ls
anaconda-ks.cfg  ca-agent.p12  cacert.p12  ipa-tests

# copied CSR to ADCS and signed and copied back.

[root@vm1 ~]# ls
adcs3_chain.p7b  anaconda-ks.cfg  ca-agent.p12  ca.cer  cacert.p12  ipa-tests

# Convert ADCS CA Chain:

[root@vm1 ~]# openssl pkcs7 -print_certs -in adcs3_chain.p7b -inform DER -out adcs3_chain.pem

# Now I see new error message:

[root@vm1 ~]# ipa-cacert-manage renew --external-cert-file=ca.cer --external-cert-file=adcs3_chain.pem  -p Secret123
Importing the renewed CA certificate, please wait
Subject name encoding mismatch (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)

Comment 12 errata-xmlrpc 2015-03-05 05:18:39 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.