RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1367868 - Add options to retrieve lightweight CA certificate/chain
Summary: Add options to retrieve lightweight CA certificate/chain
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Mohammad Rizwan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-17 16:45 UTC by Petr Vobornik
Modified: 2017-08-01 09:39 UTC (History)
7 users (show)

Fixed In Version: ipa-4.5.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:39:54 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2016-08-17 16:45:04 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6178

Administrators need a way to retrieve the certificate or
certificate chain of an IPA-managed lightweight CA.

Add --certificate-out and --certificate-chain-out options to 
the `ca-show` command.
Comment 1 Fraser Tweedale 2016-09-05 14:13:25 UTC 
A note as to why this is desired for 7.3:

Often when you have a sub-CA you want to anchor trust at that sub-CA,
e.g. so that VPN server will only consider certs issued by a particular
sub-CA created to issue VPN user certs.

Currently IPA lacks a simple way to get the certificate for a
sub-CA.  It can be done in a roundabout way i.e. by searching for
certificates with same subject name as the sub-CA but this is
awkward.
Comment 3 Jan Cholasta 2016-12-12 11:59:25 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c7ea56c049ec8ab1a5500852eca6faf750b1479f
https://fedorahosted.org/freeipa/changeset/cc5b88e5d4ac1171374be9ae8e6e60730243dd3d
https://fedorahosted.org/freeipa/changeset/32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d
Comment 4 Martin Bašti 2017-01-05 16:42:04 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ceb26f5ac428cdbed8ec1fa89e9ed6f1d903a5a0
Comment 6 Mohammad Rizwan 2017-05-30 07:14:07 UTC 
version:
ipa-server-4.5.0-13.el7.x86_64

[root@hp-dl380pgen8-02-vm-10 ~]# ipa ca-show --help
Usage: ipa [global-options] ca-show NAME [options]

Display the properties of a CA.
Options:
  -h, --help            show this help message and exit
  --rights              Display the access rights of this entry (requires
                        --all). See ipa man page for details.
  --chain               Include certificate chain in output
  --all                 Retrieve and print all attributes from the server.
                        Affects command output.
  --raw                 Print entries as stored on the server. Only affects
                        output format.
  --certificate-out=FILE
                        Write certificate (chain if --chain used) to file

[root@hp-dl380pgen8-02-vm-10 ~]# ipa ca-show --certificate-out=/root/ca.crt
Name: ipa
  Name: ipa
  Description: IPA CA
  Authority ID: 5f44b057-2994-49ee-a701-3d0826854d96
  Subject DN: CN=Certificate Authority,O=TESTRELM.TEST
  Issuer DN: CN=Certificate Authority,O=TESTRELM.TEST
  Certificate: MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI5MTAzNDUzWhcNMzcwNTI5MTAzNDUzWjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3kKtrV5MchW/Be3OxjiS5A4l1b7YeuFi4LIQZE83EoQ9oDxLoox/w/WeRtmzY0EotMYbHliZIdLI26pM/5ZUlbFKu7P5lnpVx5QNqcuav4TO0m9yrguVdNuCRW1mLPOVM+WGgHbSMnL0YhzTw2jKmwQ9htK3nZRr89TU7SrVQh7HGbQkenuUSoDj7TcrEBoxZtimpZfCLJBqTtZRJJDXjN0TX5KUXwHwgBp267LMqvTuGCONtNKZKbGu1+5L8sGoBwr/joGO4OlY/jtv1Qes5JDNjWLmafiyV02cL3tiEHFH4X6h7x/BYk/xRDe/OhmMRSrBUFELfc9lVTarTzd8XAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAUGFljoBH1xWw0THDBGKW2j8pgNE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFBhZY6AR9cVsNExwwRilto/KYDROMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAESKNzupNpNeKUaxPR11gorcQchuOBrZ23WBmMlnIgKw8TUB4k1CoQU6UvQ+66EsesdlF2N7Y5imkjTu0+HBvPHqKhs/xLWQg41WvE4gBLIP55UxTe48pjdeY5ewDXiEEXqM0lFYEfNKsc9lMJdswbnixsu00hDF7NhSE6bhbNv4+eehgnJVaSDhHkUnheJG0cmrZRssqDcldsMn+tNUVsRRwX2y9cdaplGU9dQLWf/iwAF3J8vReigSr5xF0VM6Oo/q56djahIEP4ILYPUV1cINvmiH/x9FWFXb54G1C8scQ/ttno5pt9zPUsGJB4B8DPnulH3dEhzELijwQGit7bQ=

[root@hp-dl380pgen8-02-vm-10 ~]# ll
total 72
-rw-------. 1 root    root    20266 May 29 01:55 anaconda-ks.cfg
-rw-------. 1 root    root     2612 May 29 06:34 ca-agent.p12
-rw-r--r--. 1 pkiuser pkiuser 10368 May 29 06:34 cacert.p12
-rw-r--r--. 1 root    root     1316 May 29 06:41 ca.crt
-rwxr-xr-x. 1 root    root      887 May 29 06:33 ipa.sh
-rw-r--r--. 1 root    root        4 May 29 01:54 NETBOOT_METHOD.TXT

[root@hp-dl380pgen8-02-vm-10 ~]# cat ca.crt
-----BEGIN CERTIFICATE-----
MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNU
UkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcw
NTI5MTAzNDUzWhcNMzcwNTI5MTAzNDUzWjA4MRYwFAYDVQQKDA1URVNUUkVMTS5U
RVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC3kKtrV5MchW/Be3OxjiS5A4l1b7YeuFi4LIQZ
E83EoQ9oDxLoox/w/WeRtmzY0EotMYbHliZIdLI26pM/5ZUlbFKu7P5lnpVx5QNq
cuav4TO0m9yrguVdNuCRW1mLPOVM+WGgHbSMnL0YhzTw2jKmwQ9htK3nZRr89TU7
SrVQh7HGbQkenuUSoDj7TcrEBoxZtimpZfCLJBqTtZRJJDXjN0TX5KUXwHwgBp26
7LMqvTuGCONtNKZKbGu1+5L8sGoBwr/joGO4OlY/jtv1Qes5JDNjWLmafiyV02cL
3tiEHFH4X6h7x/BYk/xRDe/OhmMRSrBUFELfc9lVTarTzd8XAgMBAAGjgaUwgaIw
HwYDVR0jBBgwFoAUGFljoBH1xWw0THDBGKW2j8pgNE4wDwYDVR0TAQH/BAUwAwEB
/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFBhZY6AR9cVsNExwwRilto/KYDRO
MD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0
cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAESKNzupNpNeKUax
PR11gorcQchuOBrZ23WBmMlnIgKw8TUB4k1CoQU6UvQ+66EsesdlF2N7Y5imkjTu
0+HBvPHqKhs/xLWQg41WvE4gBLIP55UxTe48pjdeY5ewDXiEEXqM0lFYEfNKsc9l
MJdswbnixsu00hDF7NhSE6bhbNv4+eehgnJVaSDhHkUnheJG0cmrZRssqDcldsMn
+tNUVsRRwX2y9cdaplGU9dQLWf/iwAF3J8vReigSr5xF0VM6Oo/q56djahIEP4IL
YPUV1cINvmiH/x9FWFXb54G1C8scQ/ttno5pt9zPUsGJB4B8DPnulH3dEhzELijw
QGit7bQ=
-----END CERTIFICATE-----

[root@hp-dl380pgen8-02-vm-10 ~]# ipa ca-show --certificate-out=/root/ca.crt --chain
Name: ipa
  Name: ipa
  Description: IPA CA
  Authority ID: 5f44b057-2994-49ee-a701-3d0826854d96
  Subject DN: CN=Certificate Authority,O=TESTRELM.TEST
  Issuer DN: CN=Certificate Authority,O=TESTRELM.TEST
  Certificate: MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI5MTAzNDUzWhcNMzcwNTI5MTAzNDUzWjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3kKtrV5MchW/Be3OxjiS5A4l1b7YeuFi4LIQZE83EoQ9oDxLoox/w/WeRtmzY0EotMYbHliZIdLI26pM/5ZUlbFKu7P5lnpVx5QNqcuav4TO0m9yrguVdNuCRW1mLPOVM+WGgHbSMnL0YhzTw2jKmwQ9htK3nZRr89TU7SrVQh7HGbQkenuUSoDj7TcrEBoxZtimpZfCLJBqTtZRJJDXjN0TX5KUXwHwgBp267LMqvTuGCONtNKZKbGu1+5L8sGoBwr/joGO4OlY/jtv1Qes5JDNjWLmafiyV02cL3tiEHFH4X6h7x/BYk/xRDe/OhmMRSrBUFELfc9lVTarTzd8XAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAUGFljoBH1xWw0THDBGKW2j8pgNE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFBhZY6AR9cVsNExwwRilto/KYDROMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAESKNzupNpNeKUaxPR11gorcQchuOBrZ23WBmMlnIgKw8TUB4k1CoQU6UvQ+66EsesdlF2N7Y5imkjTu0+HBvPHqKhs/xLWQg41WvE4gBLIP55UxTe48pjdeY5ewDXiEEXqM0lFYEfNKsc9lMJdswbnixsu00hDF7NhSE6bhbNv4+eehgnJVaSDhHkUnheJG0cmrZRssqDcldsMn+tNUVsRRwX2y9cdaplGU9dQLWf/iwAF3J8vReigSr5xF0VM6Oo/q56djahIEP4ILYPUV1cINvmiH/x9FWFXb54G1C8scQ/ttno5pt9zPUsGJB4B8DPnulH3dEhzELijwQGit7bQ=
  Certificate chain: MIIDkTCCAnmgAwIBAgIBATANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI5MTAzNDUzWhcNMzcwNTI5MTAzNDUzWjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3kKtrV5MchW/Be3OxjiS5A4l1b7YeuFi4LIQZE83EoQ9oDxLoox/w/WeRtmzY0EotMYbHliZIdLI26pM/5ZUlbFKu7P5lnpVx5QNqcuav4TO0m9yrguVdNuCRW1mLPOVM+WGgHbSMnL0YhzTw2jKmwQ9htK3nZRr89TU7SrVQh7HGbQkenuUSoDj7TcrEBoxZtimpZfCLJBqTtZRJJDXjN0TX5KUXwHwgBp267LMqvTuGCONtNKZKbGu1+5L8sGoBwr/joGO4OlY/jtv1Qes5JDNjWLmafiyV02cL3tiEHFH4X6h7x/BYk/xRDe/OhmMRSrBUFELfc9lVTarTzd8XAgMBAAGjgaUwgaIwHwYDVR0jBBgwFoAUGFljoBH1xWw0THDBGKW2j8pgNE4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFBhZY6AR9cVsNExwwRilto/KYDROMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAESKNzupNpNeKUaxPR11gorcQchuOBrZ23WBmMlnIgKw8TUB4k1CoQU6UvQ+66EsesdlF2N7Y5imkjTu0+HBvPHqKhs/xLWQg41WvE4gBLIP55UxTe48pjdeY5ewDXiEEXqM0lFYEfNKsc9lMJdswbnixsu00hDF7NhSE6bhbNv4+eehgnJVaSDhHkUnheJG0cmrZRssqDcldsMn+tNUVsRRwX2y9cdaplGU9dQLWf/iwAF3J8vReigSr5xF0VM6Oo/q56djahIEP4ILYPUV1cINvmiH/x9FWFXb54G1C8scQ/ttno5pt9zPUsGJB4B8DPnulH3dEhzELijwQGit7bQ=
[root@hp-dl380pgen8-02-vm-10 ~]#
Comment 8 errata-xmlrpc 2017-08-01 09:39:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.