1169591 – RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1169591 - RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible

Summary: RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Cholasta
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1168850
TreeView+	depends on / blocked

Reported:	2014-12-02 03:21 UTC by Scott Poore
Modified:	2015-03-05 10:18 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-4.1.0-12.el7
Doc Type:	Bug Fix
Doc Text:	The following known issue description has been removed from the RHEL 7.1 Beta Release Notes: Microsoft Certificate Services do not always keep the Subject Name binary encoding as defined in the Certificate Request. When IPA CA certificate signed by an external CA is being renewed using the ipa-cacert-manage command, the subject name of the certificate issued by the Microsoft Certificate Services does not always match the subject name of the originating certificate signing the request on binary level. To work around this problem, when renewing the IPA CA certificate signed by an external CA using ipa-cacert-manage, make sure the subject name of the certificate issued by the external CA matches the subject name of the originating certificate signing request on binary level. This is especially important for Microsoft Certificate Services, which by default uses the PrintableString encoding in subject names of certificates it issues, despite the encoding used in subject name of certificate signing requests. However, uses the UTF8String encoding by default. See http://support.microsoft.com/kb/888180 for instructions on how to configure MS CS to use UTF8String encoding in subject names.
Clone Of:
Environment:
Last Closed:	2015-03-05 10:18:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description Scott Poore 2014-12-02 03:21:31 UTC

Description of problem:

I'm trying to renew a CA Cert and change from self signed to external CA signed using MS ADCS.

[root@rhel7-2 ~]# ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful

[root@rhel7-2 ~]# cd /root/certs

[root@rhel7-2 certs]# ls
adcs2_chain.p7b  ca.cer

[root@rhel7-2 certs]# openssl pkcs7 -print_certs -in /root/certs/adcs2_chain.p7b -inform DER -out /root/certs/adcs2_chain.pem

[root@rhel7-2 certs]# ipa-cacert-manage renew --external-cert-file=/root/certs/adcs2_chain.pem --external-cert-file=/root/certs/ca.cer -p Secret123
Importing the renewed CA certificate, please wait
Not compatible with the current CA certificate: %s
Command ''/usr/bin/certutil' '-d' '/tmp/tmpAYIjfk' '-A' '-n' 'IPA CA' '-t' 'C,,'' returned non-zero exit status 255


Version-Release number of selected component (if applicable):

ipa-server-4.1.0-10.el7.x86_64
certmonger-0.75.14-2.el7.x86_64
nss-tools-3.16.2.3-2.el7.x86_64


How reproducible:
unknown

Steps to Reproduce:
1.  Install IPA server
2.  ipa-cacert-manage renew --external-ca
3.  copy CSR to windows ADCS server
4.  sign cert
5.  copy cert and ADCS CA cert chain to IPA server
6.  convert ADCS CA cert chain from p7b to DER pem
    openssl pkcs7 -print_certs -in <p7b_file> -inform DER -out <pem_file>
7.  ipa-cacert-manage renew --external-cert-file=<pem_file> --external-cert-file=<cacert> -p <password>

Actual results:
fails like above

Expected results:
no fail

Additional info:

Comment 2 Jan Cholasta 2014-12-02 11:54:52 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4781

Comment 5 Scott Poore 2014-12-04 15:18:47 UTC

Per Honza and Martin's suggestion:

https://bugzilla.redhat.com/show_bug.cgi?id=1129558#c11

I had to use that workaround to force UTF-8 encoding on ADCS side.

I was then able to use the signed cert.

Comment 8 Jan Cholasta 2014-12-10 17:11:06 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/f7f3c83748b3b5d5d968cc3c72145f3c5f23cd8b
https://fedorahosted.org/freeipa/changeset/8f9c5988e2f370cef66a4cd7cf3d363f061a439c
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/731035e526441b93b69fb20c6a6c990cdcdc4899
https://fedorahosted.org/freeipa/changeset/3cb2f5e841f5bac6a8cc02bc9467846b35f7aab8

Comment 10 Scott Poore 2014-12-19 16:53:54 UTC

Verified.

Version ::

ipa-server-4.1.0-13.el7.x86_64

Results ::

# Just showing here that this is self-signed:

[root@vm1 ~]# getcert list -i 20141219162921
Number of certificates and requests being tracked: 8.
Request ID '20141219162921':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='572794088956'
	certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-ca-renew-agent
	issuer: CN=Certificate Authority,O=EXAMPLE.TEST
	subject: CN=Certificate Authority,O=EXAMPLE.TEST
	expires: 2034-12-19 16:28:38 UTC
	key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

# Now, try to renew without workaround on AD CS:

[root@vm1 ~]# ipa-cacert-manage renew --external-ca
Exporting CA certificate signing request, please wait
The next step is to get /var/lib/ipa/ca.csr signed by your CA and re-run ipa-cacert-manage as:
ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate
The ipa-cacert-manage command was successful

[root@vm1 ~]# ls
anaconda-ks.cfg  ca-agent.p12  cacert.p12  ipa-tests

# copied CSR to ADCS and signed and copied back.

[root@vm1 ~]# ls
adcs3_chain.p7b  anaconda-ks.cfg  ca-agent.p12  ca.cer  cacert.p12  ipa-tests

# Convert ADCS CA Chain:

[root@vm1 ~]# openssl pkcs7 -print_certs -in adcs3_chain.p7b -inform DER -out adcs3_chain.pem

# Now I see new error message:

[root@vm1 ~]# ipa-cacert-manage renew --external-cert-file=ca.cer --external-cert-file=adcs3_chain.pem  -p Secret123
Importing the renewed CA certificate, please wait
Subject name encoding mismatch (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)

Comment 12 errata-xmlrpc 2015-03-05 10:18:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.