Bug 1399190 - [RFE] Certificates issued by externally signed IdM CA should contain full trust chain
Summary: [RFE] Certificates issued by externally signed IdM CA should contain full tru...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: All
OS: All
medium
medium
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Michal Reznik
URL:
Whiteboard:
Depends On:
Blocks: 1420851
TreeView+ depends on / blocked
 
Reported: 2016-11-28 14:09 UTC by Thorsten Scherf
Modified: 2017-08-01 09:44 UTC (History)
8 users (show)

Fixed In Version: ipa-4.5.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:44:33 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Thorsten Scherf 2016-11-28 14:09:41 UTC
Description of problem:
When you have your IdM PKI CA certificate signed by an external CA, the
IdM CA certificate contains the full certificate chain. To verify the 
full chain, only the Root CA certificate is required.

When you now request a new service certificate from the IdM CA, it only
contains the actual service certificate and not the full chain. The IPA
CA certificate has to be used as a trust anchor to verify the new
service certificate.

People now need to have the Root CA *and* the IPA CA certificate in
their trust store to verify the chain. 

We should either include the full trust chain into certificates issued 
by the IPA CA by default or provide a config option for this so that
IPA admins can decide on their own if they wanna trust the upstream CA
for all sort of certificates.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Thorsten Scherf 2016-11-28 15:24:44 UTC
Workaround to roll-out the IPA CA certificate using a GPO (on Windows clients):

https://technet.microsoft.com/de-de/library/cc770315(v=ws.10).aspx

Comment 3 Martin Kosek 2016-11-29 11:38:56 UTC
Currently proposed user story for this enhancements:

As Administrator, I want a to get a certificate issued by IdM CA with it's full certificate chain, so that my (web) service can present the full chain to it's clients and be trusted even if clients are trusting a CA upper in the chain and not IdM CA directly.

This should result on a new option for certificate-request and cert-show commands to return the certificate with it's full chain.

Comments/validation welcome.

Comment 4 Thorsten Scherf 2016-11-29 13:37:11 UTC
(In reply to Martin Kosek from comment #3)
> Currently proposed user story for this enhancements:
> 
> As Administrator, I want a to get a certificate issued by IdM CA with it's
> full certificate chain, so that my (web) service can present the full chain
> to it's clients and be trusted even if clients are trusting a CA upper in
> the chain and not IdM CA directly.
> 
[...]
> Comments/validation welcome.

Sounds exactly right.

Comment 5 Petr Vobornik 2016-12-09 17:10:23 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6547

Comment 6 Martin Kosek 2016-12-12 15:59:31 UTC
This looks also related:
https://fedorahosted.org/freeipa/ticket/6178

Comment 15 Michal Reznik 2017-05-24 12:15:12 UTC
Verified on:

ipa-server-4.5.0-13.el7.x86_64
pki-server-10.4.1-4.el7.noarch
selinux-policy-3.13.1-151.el7.noarch

1. Get CSR from ipa installer

[root@master ~]# ipa-server-install -r TESTRELM.TEST -n testrelm.test -p 'XXX' -a 'XXX' --setup-dns --forwarder 192.168.222.1 --external-ca -U
<snip>
  [6/10]: creating a keytab for the machine
  [7/10]: adding the password extension to the directory
  [8/10]: creating anonymous principal
  [9/10]: starting the KDC
  [10/10]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin 
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/8]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run /usr/sbin/ipa-server-install as:
/usr/sbin/ipa-server-install --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate


2. Sign it with external CA

[root@master ~]# openssl x509 -req -in ipa.csr -CA nssdb/ca1.pem -CAkey nssdb/ca1.key -CAcreateserial -extfile ext.cnf -out ipa.pem
Signature ok
subject=/O=TESTRELM.TEST/CN=Certificate Authority
Getting CA Private Key


3. Complete the installation

[root@master ~]# ipa-server-install --external-cert-file=/root/ipa.pem --external-cert-file=/root/ca1.pem
<snip>
  [5/7]: adding DNSSEC containers
  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records
Configuring client side components
Using existing certificate '/etc/ipa/ca.crt'.
Client hostname: master.testrelm.test
Realm: TESTRELM.TEST
DNS Domain: testrelm.test
IPA Server: master.testrelm.test
BaseDN: dc=testrelm,dc=test

Skipping synchronizing time with NTP server.
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://master.testrelm.test/ipa/json
Forwarding 'schema' to json server 'https://master.testrelm.test/ipa/json'
trying https://master.testrelm.test/ipa/session/json
Forwarding 'ping' to json server 'https://master.testrelm.test/ipa/session/json'
Forwarding 'ca_is_enabled' to json server 'https://master.testrelm.test/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://master.testrelm.test/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring testrelm.test as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

==============================================================================
Setup complete

Next steps:
 1. You must make sure these network ports are open:
  TCP Ports:
    * 80, 443: HTTP/HTTPS
    * 389, 636: LDAP/LDAPS
    * 88, 464: kerberos
    * 53: bind
  UDP Ports:
    * 88, 464: kerberos
    * 53: bind
    * 123: ntp

 2. You can now obtain a kerberos ticket using the command: 'kinit admin'
    This ticket will allow you to use the IPA tools (e.g., ipa user-add)
    and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password


4. Check if we have full CA chain.

[root@master ~]# ipa cert-show --chain
Serial number: 10
  Issuing CA: ipa
  Certificate: MIIEnTCCA4WgAwIBAgIBCjANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI0MDk1MjEyWhcNMTcwNjIzMDk0NjM3WjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVtYXN0ZXIyLnRlc3RyZWxtLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvB9Fmg8PX1mHqcZseMmx431leVNwT6xRbQjDOEapz5/fA+LynDqBAGPEumc/+hbKONgg7o+gmKUx2Miqncx9ki4B3kkrbmvKTyiU73hM1iws477suP55/P30TG8WEEjoB81aq2alkyz9o9SvJWh4rxKjOMRf+7a+mpn9HVCdHPS84ngHFOcPuE5rpQmi5fJCpjTqYnbjvmQT4i8lc6GkWVgW1Wr1NhkbsskJp9OwzQMIIkKpUSYmI7wD762J7OiZrWE89go1uinAsujx2w8sdp5tAJsJDfFHgSee5rbNPhT3tkgc8ixbJxbvE4uD0scthiG8LLn5ZBZB0zRcbhFxDAgMBAAGjggGwMIIBrDAfBgNVHSMEGDAWgBS2Q3vKzeAdsETr9CLNZZiKLg8rqzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAcBgNVHSUEFTATBggrBgEFBQcDAQYHKwYBBQIDBTB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQx5IekMAzEgcmQKOWku1r1Z3sMTDCBgAYDVR0RBHkwd6AyBgorBgEEAYI3FAIDoCQMImtyYnRndC9URVNUUkVMTS5URVNUQFRFU1RSRUxNLlRFU1SgQQYGKwYBBQICoDcwNaAPGw1URVNUUkVMTS5URVNUoSIwIKADAgEBoRkwFxsGa3JidGd0Gw1URVNUUkVMTS5URVNUMA0GCSqGSIb3DQEBCwUAA4IBAQCPukrunWzSy2nqI7DBYU93zFEosVk9KqXcnO6sdH0+NI454/bOrMUAYLCXqMGff77QLicJdisHJyMgXx6JS/JfSlFIB9u9sidEQ8Fy5Q2geZoZ5/hXmCPRCKpuDKZ2tOATyK1A8Pt4a2k3KvKOfdQIwPXhScx5qvFI65U3f3VL9KQRtDG9oeDfkGyi7+VvgkbxKkalGKvPuhghgsY3ZJxz2j0Fv2pbeDMR1fFVAHf+lDOoumnf/HUbR0+51D9ZH+qN7BLQ7R97p8BIBVq4brkxCH0TBhgDJpNQEcwejdyEJ9W2u9i/NvyTZgja+OUz4KAnFytBi9+YkRg5JgqL+OP8
  Certificate chain: MIIEnTCCA4WgAwIBAgIBCjANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI0MDk1MjEyWhcNMTcwNjIzMDk0NjM3WjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVtYXN0ZXIyLnRlc3RyZWxtLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvB9Fmg8PX1mHqcZseMmx431leVNwT6xRbQjDOEapz5/fA+LynDqBAGPEumc/+hbKONgg7o+gmKUx2Miqncx9ki4B3kkrbmvKTyiU73hM1iws477suP55/P30TG8WEEjoB81aq2alkyz9o9SvJWh4rxKjOMRf+7a+mpn9HVCdHPS84ngHFOcPuE5rpQmi5fJCpjTqYnbjvmQT4i8lc6GkWVgW1Wr1NhkbsskJp9OwzQMIIkKpUSYmI7wD762J7OiZrWE89go1uinAsujx2w8sdp5tAJsJDfFHgSee5rbNPhT3tkgc8ixbJxbvE4uD0scthiG8LLn5ZBZB0zRcbhFxDAgMBAAGjggGwMIIBrDAfBgNVHSMEGDAWgBS2Q3vKzeAdsETr9CLNZZiKLg8rqzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAcBgNVHSUEFTATBggrBgEFBQcDAQYHKwYBBQIDBTB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQx5IekMAzEgcmQKOWku1r1Z3sMTDCBgAYDVR0RBHkwd6AyBgorBgEEAYI3FAIDoCQMImtyYnRndC9URVNUUkVMTS5URVNUQFRFU1RSRUxNLlRFU1SgQQYGKwYBBQICoDcwNaAPGw1URVNUUkVMTS5URVNUoSIwIKADAgEBoRkwFxsGa3JidGd0Gw1URVNUUkVMTS5URVNUMA0GCSqGSIb3DQEBCwUAA4IBAQCPukrunWzSy2nqI7DBYU93zFEosVk9KqXcnO6sdH0+NI454/bOrMUAYLCXqMGff77QLicJdisHJyMgXx6JS/JfSlFIB9u9sidEQ8Fy5Q2geZoZ5/hXmCPRCKpuDKZ2tOATyK1A8Pt4a2k3KvKOfdQIwPXhScx5qvFI65U3f3VL9KQRtDG9oeDfkGyi7+VvgkbxKkalGKvPuhghgsY3ZJxz2j0Fv2pbeDMR1fFVAHf+lDOoumnf/HUbR0+51D9ZH+qN7BLQ7R97p8BIBVq4brkxCH0TBhgDJpNQEcwejdyEJ9W2u9i/NvyTZgja+OUz4KAnFytBi9+YkRg5JgqL+OP8,
                     MIIC9zCCAd+gAwIBAgIJAOttvnOHqPYVMA0GCSqGSIb3DQEBCwUAMCwxHTAbBgNVBAoTFEV4YW1wbGUgT3JnYW5pemF0aW9uMQswCQYDVQQDEwJDQTAeFw0xNzA1MjQwOTQ2MzdaFw0xNzA2MjMwOTQ2MzdaMDgxFjAUBgNVBAoTDVRFU1RSRUxNLlRFU1QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQUn+LsMg3/TCEfH9R6HrgdqEpCt4ZO6xWQ1Yju9/r0qRoz9rNvBmR4dPcMSjvDjqRJg+0SvvC7ZDM5VVTnAClHB1VwVC6DHYdjNBFEPeeMUg553EKKHd38A3k4mKfMIIP1VxEMXAKLWbExNA2YreEqGUbGY4aFN13Iwk7ae2vgPkKyD2QliLqTQfhIg2YO1MazEnhYCxhteQyUjKorFTcECmG1MD3aaVO8rWBKRkT5J4J0SsTve03UkrxAccTHa+oASuMM5JDYORKEo5lemg3gROgjdAIWKGGiQN4gGKdEfHZ6ewTZU9PibdXV4DtbsiWZ3n2gFoFIPpQesyaUeckCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd1zNr9zPU8QRhz7D5U6ucnvK4HVhP47AhGIg7c9Apb+4jE/rQwCmKEpn2hwP/kVH0IWacqr3GoU+Xn2YxmsvN7AjT6OBJ8UZkVn/P/+DUZ5MH119b805QPnRNWYB1/9IhyLwMgUvFHZoWHTakw+D9noiyoRrkw0GB68M7qu6ARDhhi0c04M9QlRFj7Liyjkl2xVNAFiGJ84utDz498BYIpYhBxJBlGLo6LVS3j4LBzqxBKqQYezm4qDtHjjl1z+asxtiRz21cPwZP8+JHPzGeDgZqkukclETq6A46uEh2eT4wP5PNEIMQTO9n1dCQfRkQ06xFGdcgyWjGJ0FLn/GeQ==,
                     MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAsMR0wGwYDVQQKExRFeGFtcGxlIE9yZ2FuaXphdGlvbjELMAkGA1UEAxMCQ0EwHhcNMTcwNTI0MDg0MjU0WhcNMjcwNTI0MDg0MjU0WjAsMR0wGwYDVQQKExRFeGFtcGxlIE9yZ2FuaXphdGlvbjELMAkGA1UEAxMCQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDj+HUUHB9CC0ut7rrapvsqKrMxNSOuN+0ooOzKfwSD7hJbvqPrNzgcmJBVEBy2IXu1ju4UzFEUSv/0M+B7+W60Tp2uWxYWQNpa3ngiAonvQrrUrvmrw2enYWWIWd2Ik9hkk7eRE/9L2qxBY8KNRIsSiwQYO9+X5TUd+vdEg/yeJcUjmFxTdqFU/djtjxAO4tEsFhDT7TggaUYh/cuCF7oeH2Q6kIGY4mGjIZY7fOiR75KWKayopOpVJRyNQ/eDR0aJva7jXgg0XAEgWJRMKnuonsWGQDnU1pey9sl/ZIB0sK7Z43ASUjpLXALEHWh17S2Iaukus5258M7QVPVZ9IWzAgMBAAGjTzBNMA4GA1UdDwEB/wQEAwIBxjAPBgNVHRMBAf8EBTADAQH/MCoGA1UdHwQjMCEwH6AdoBuGGWZpbGU6Ly8vdG1wL25zc2RiL2NhMS5jcmwwDQYJKoZIhvcNAQELBQADggEBABo1E/mFksbwVVuBuEawm5scswMQwieKyUpihxIU4ozghuG2cCvW/9rbqzlebU445YDQsCriJv+p3a0+Y8S4QRQc1FaPYB843rW9b0Q97cc+iL3V/opEfr0yjZX2hEwvRSzXm94zHW/oQ9J/7+V/mLogV0j4TkFuBMsXw9AQiQ2Ie4K5oY42dtYVlgdJ9JU5ptwv/FWPFbEuzu7ARLeK35GVpljmNKj1Ef1gE4WYo6C1D3CC/ybDZnYJI6E4eiUktQ496FU4f4J0fA+HUwCgD04ylo2keEj4n0d1bT8pmRFWhM3PRAO8q6JLoUaZf3xCcodSQ6k0J/yVt0BhQeiFiZ8=
  Subject: CN=master.testrelm.test,O=TESTRELM.TEST
  Subject UPN: krbtgt/TESTRELM.TEST@TESTRELM.TEST
  Subject Kerberos principal name: krbtgt/TESTRELM.TEST@TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Wed May 24 09:52:12 2017 UTC
  Not After: Fri Jun 23 09:46:37 2017 UTC
  Serial number: 10
  Serial number (hex): 0xA
  Revoked: False


5. Check if we have full CA chain in new service certificate.

[root@master ~]# openssl genrsa -out tester.key 2048
Generating RSA private key, 2048 bit long modulus
...................................................+++
..........................+++
e is 65537 (0x10001)

[root@master ~]# openssl req -new -sha256 -key tester.key -out tester.csr
<snip>
Common Name (eg, your name or your server's hostname) []:tester.testrelm.test
<snip>

[root@master ~]# ipa host-add tester.testrelm.test --force
---------------------------------
Added host "tester.testrelm.test"
---------------------------------
  Host name: tester.testrelm.test
  Principal name: host/tester.testrelm.test@TESTRELM.TEST
  Principal alias: host/tester.testrelm.test@TESTRELM.TEST
  Password: False
  Keytab: False
  Managed by: tester.testrelm.test

[root@master ~]# ipa cert-request --add --principal=HTTP/tester.testrelm.test tester.csr
  Issuing CA: ipa
  Certificate: MIIEGjCCAwKgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI0MTAzNTQyWhcNMTcwNjIzMDk0NjM3WjA3MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR0wGwYDVQQDDBR0ZXN0ZXIudGVzdHJlbG0udGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqIhFF9ny0iczfD8UeZEE8IKxqi1l6l0oLes4WmA/Qofd893dk2kWbdc92t7+W2t9IKSTqXfnqwuoJp8JQN/wyEkYBD+JaLfq8THUs8F36/AqnTsAUDDaVvPdfCe8Kc+Npivr655h7h95lyQ/EbI58gj1u1IV9AYzu9+i1hwvkcSyjbrREqWH7D9UZZKwiVb0vVwkpUirr5LkKUuzQl2oNHTfUrJboggn2yHhBBm9GHHh1VuIVHscWk/W0sKEhK4KzsS7BV789ZUu/IKi8Vv48/LHMZUdHoj+WnSev9nVPEryepXqHvTopQOtVZNHhhYjqBZp8vyDn9+QlSGP5tWpECAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFLZDe8rN4B2wROv0Is1lmIouDyurMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQm5VMR5Rz5nazYJORSiKUehjAyXjANBgkqhkiG9w0BAQsFAAOCAQEARIFqKfwQQnb1+E7aUcG4DhFm0M4q0k4HY+nBa74JLzGxrlISDaXt9ddsHvkt237f+dF3+azQMJ+VL734N/1AMzNbihqegfVDmTOO3SuS1u97TfyNTOL/mD+ZHcmyWoUdI4f2AH7v1eyxV9IWPqFsuKXcqnqPMgM90DPBC27vMyT7lHHwezdChGAUny5/bXSBcNCV0NN+RJpbI7v4UKUuyF/oOw2RTozyCG+1WjPlitnxoPB5piGdcMigRMGaRVui4eSmz2ocO8TaO2QysXjx6QZH7yam+sZ4RA/h4jfRsSReO7qg7JabemYjbCaK6kkdx/AmOM79AcgCUHlV2htzqA==
  Subject: CN=tester.testrelm.test,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Wed May 24 10:35:42 2017 UTC
  Not After: Fri Jun 23 09:46:37 2017 UTC
  Serial number: 11
  Serial number (hex): 0xB

[root@master ~]# ipa cert-show --all
Serial number: 11
  Issuing CA: ipa
  Certificate: MIIEGjCCAwKgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI0MTAzNTQyWhcNMTcwNjIzMDk0NjM3WjA3MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR0wGwYDVQQDDBR0ZXN0ZXIudGVzdHJlbG0udGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqIhFF9ny0iczfD8UeZEE8IKxqi1l6l0oLes4WmA/Qofd893dk2kWbdc92t7+W2t9IKSTqXfnqwuoJp8JQN/wyEkYBD+JaLfq8THUs8F36/AqnTsAUDDaVvPdfCe8Kc+Npivr655h7h95lyQ/EbI58gj1u1IV9AYzu9+i1hwvkcSyjbrREqWH7D9UZZKwiVb0vVwkpUirr5LkKUuzQl2oNHTfUrJboggn2yHhBBm9GHHh1VuIVHscWk/W0sKEhK4KzsS7BV789ZUu/IKi8Vv48/LHMZUdHoj+WnSev9nVPEryepXqHvTopQOtVZNHhhYjqBZp8vyDn9+QlSGP5tWpECAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFLZDe8rN4B2wROv0Is1lmIouDyurMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQm5VMR5Rz5nazYJORSiKUehjAyXjANBgkqhkiG9w0BAQsFAAOCAQEARIFqKfwQQnb1+E7aUcG4DhFm0M4q0k4HY+nBa74JLzGxrlISDaXt9ddsHvkt237f+dF3+azQMJ+VL734N/1AMzNbihqegfVDmTOO3SuS1u97TfyNTOL/mD+ZHcmyWoUdI4f2AH7v1eyxV9IWPqFsuKXcqnqPMgM90DPBC27vMyT7lHHwezdChGAUny5/bXSBcNCV0NN+RJpbI7v4UKUuyF/oOw2RTozyCG+1WjPlitnxoPB5piGdcMigRMGaRVui4eSmz2ocO8TaO2QysXjx6QZH7yam+sZ4RA/h4jfRsSReO7qg7JabemYjbCaK6kkdx/AmOM79AcgCUHlV2htzqA==
  Certificate chain: MIIEGjCCAwKgAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKEw1URVNUUkVMTS5URVNUMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTI0MTAzNTQyWhcNMTcwNjIzMDk0NjM3WjA3MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR0wGwYDVQQDDBR0ZXN0ZXIudGVzdHJlbG0udGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqIhFF9ny0iczfD8UeZEE8IKxqi1l6l0oLes4WmA/Qofd893dk2kWbdc92t7+W2t9IKSTqXfnqwuoJp8JQN/wyEkYBD+JaLfq8THUs8F36/AqnTsAUDDaVvPdfCe8Kc+Npivr655h7h95lyQ/EbI58gj1u1IV9AYzu9+i1hwvkcSyjbrREqWH7D9UZZKwiVb0vVwkpUirr5LkKUuzQl2oNHTfUrJboggn2yHhBBm9GHHh1VuIVHscWk/W0sKEhK4KzsS7BV789ZUu/IKi8Vv48/LHMZUdHoj+WnSev9nVPEryepXqHvTopQOtVZNHhhYjqBZp8vyDn9+QlSGP5tWpECAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFLZDe8rN4B2wROv0Is1lmIouDyurMD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQm5VMR5Rz5nazYJORSiKUehjAyXjANBgkqhkiG9w0BAQsFAAOCAQEARIFqKfwQQnb1+E7aUcG4DhFm0M4q0k4HY+nBa74JLzGxrlISDaXt9ddsHvkt237f+dF3+azQMJ+VL734N/1AMzNbihqegfVDmTOO3SuS1u97TfyNTOL/mD+ZHcmyWoUdI4f2AH7v1eyxV9IWPqFsuKXcqnqPMgM90DPBC27vMyT7lHHwezdChGAUny5/bXSBcNCV0NN+RJpbI7v4UKUuyF/oOw2RTozyCG+1WjPlitnxoPB5piGdcMigRMGaRVui4eSmz2ocO8TaO2QysXjx6QZH7yam+sZ4RA/h4jfRsSReO7qg7JabemYjbCaK6kkdx/AmOM79AcgCUHlV2htzqA==,
                     MIIC9zCCAd+gAwIBAgIJAOttvnOHqPYVMA0GCSqGSIb3DQEBCwUAMCwxHTAbBgNVBAoTFEV4YW1wbGUgT3JnYW5pemF0aW9uMQswCQYDVQQDEwJDQTAeFw0xNzA1MjQwOTQ2MzdaFw0xNzA2MjMwOTQ2MzdaMDgxFjAUBgNVBAoTDVRFU1RSRUxNLlRFU1QxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQUn+LsMg3/TCEfH9R6HrgdqEpCt4ZO6xWQ1Yju9/r0qRoz9rNvBmR4dPcMSjvDjqRJg+0SvvC7ZDM5VVTnAClHB1VwVC6DHYdjNBFEPeeMUg553EKKHd38A3k4mKfMIIP1VxEMXAKLWbExNA2YreEqGUbGY4aFN13Iwk7ae2vgPkKyD2QliLqTQfhIg2YO1MazEnhYCxhteQyUjKorFTcECmG1MD3aaVO8rWBKRkT5J4J0SsTve03UkrxAccTHa+oASuMM5JDYORKEo5lemg3gROgjdAIWKGGiQN4gGKdEfHZ6ewTZU9PibdXV4DtbsiWZ3n2gFoFIPpQesyaUeckCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd1zNr9zPU8QRhz7D5U6ucnvK4HVhP47AhGIg7c9Apb+4jE/rQwCmKEpn2hwP/kVH0IWacqr3GoU+Xn2YxmsvN7AjT6OBJ8UZkVn/P/+DUZ5MH119b805QPnRNWYB1/9IhyLwMgUvFHZoWHTakw+D9noiyoRrkw0GB68M7qu6ARDhhi0c04M9QlRFj7Liyjkl2xVNAFiGJ84utDz498BYIpYhBxJBlGLo6LVS3j4LBzqxBKqQYezm4qDtHjjl1z+asxtiRz21cPwZP8+JHPzGeDgZqkukclETq6A46uEh2eT4wP5PNEIMQTO9n1dCQfRkQ06xFGdcgyWjGJ0FLn/GeQ==,
                     MIIDIjCCAgqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAsMR0wGwYDVQQKExRFeGFtcGxlIE9yZ2FuaXphdGlvbjELMAkGA1UEAxMCQ0EwHhcNMTcwNTI0MDg0MjU0WhcNMjcwNTI0MDg0MjU0WjAsMR0wGwYDVQQKExRFeGFtcGxlIE9yZ2FuaXphdGlvbjELMAkGA1UEAxMCQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDj+HUUHB9CC0ut7rrapvsqKrMxNSOuN+0ooOzKfwSD7hJbvqPrNzgcmJBVEBy2IXu1ju4UzFEUSv/0M+B7+W60Tp2uWxYWQNpa3ngiAonvQrrUrvmrw2enYWWIWd2Ik9hkk7eRE/9L2qxBY8KNRIsSiwQYO9+X5TUd+vdEg/yeJcUjmFxTdqFU/djtjxAO4tEsFhDT7TggaUYh/cuCF7oeH2Q6kIGY4mGjIZY7fOiR75KWKayopOpVJRyNQ/eDR0aJva7jXgg0XAEgWJRMKnuonsWGQDnU1pey9sl/ZIB0sK7Z43ASUjpLXALEHWh17S2Iaukus5258M7QVPVZ9IWzAgMBAAGjTzBNMA4GA1UdDwEB/wQEAwIBxjAPBgNVHRMBAf8EBTADAQH/MCoGA1UdHwQjMCEwH6AdoBuGGWZpbGU6Ly8vdG1wL25zc2RiL2NhMS5jcmwwDQYJKoZIhvcNAQELBQADggEBABo1E/mFksbwVVuBuEawm5scswMQwieKyUpihxIU4ozghuG2cCvW/9rbqzlebU445YDQsCriJv+p3a0+Y8S4QRQc1FaPYB843rW9b0Q97cc+iL3V/opEfr0yjZX2hEwvRSzXm94zHW/oQ9J/7+V/mLogV0j4TkFuBMsXw9AQiQ2Ie4K5oY42dtYVlgdJ9JU5ptwv/FWPFbEuzu7ARLeK35GVpljmNKj1Ef1gE4WYo6C1D3CC/ybDZnYJI6E4eiUktQ496FU4f4J0fA+HUwCgD04ylo2keEj4n0d1bT8pmRFWhM3PRAO8q6JLoUaZf3xCcodSQ6k0J/yVt0BhQeiFiZ8=
  Subject: CN=tester.testrelm.test,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Wed May 24 10:35:42 2017 UTC
  Not After: Fri Jun 23 09:46:37 2017 UTC
  Fingerprint (SHA1): 2c:4e:cf:fd:03:a0:44:09:e7:3d:f9:31:03:c0:ef:55:c5:e8:93:fd
  Fingerprint (SHA256): 4d:57:1c:2d:ce:cc:cd:a4:aa:5e:da:c6:2e:0b:59:6b:62:f1:31:3b:e3:a3:a1:86:d2:99:ff:f8:d5:0c:d7:8d
  Serial number: 11
  Serial number (hex): 0xB
  Revoked: False
  Owner service: HTTP/tester.testrelm.test@TESTRELM.TEST

Comment 16 Martin Kosek 2017-05-26 09:40:39 UTC
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:
https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available

The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html

IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!

Comment 17 errata-xmlrpc 2017-08-01 09:44:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.