Bug 1506526 - Use X509v3 Basic Constraints "CA:TRUE" instead of "CA:FALSE" IPA CA CSR [rhel-7.4.z]
Summary: Use X509v3 Basic Constraints "CA:TRUE" instead of "CA:FALSE" IPA CA CSR [rhel...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On: 1427798
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-26 09:35 UTC by Oneata Mircea Teodor
Modified: 2017-11-30 16:01 UTC (History)
18 users (show)

Fixed In Version: ipa-4.5.0-22.el7_4
Doc Type: If docs needed, set a value
Doc Text:
Cause – ipa-cacert-manage renew --external-ca generates a CSR that does not contain the Basic Constraint CA: TRUE Consequence – the signing CA needs to add the constraint to the CA certificate it issues otherwise the resulting CA certificate will be invalid Fix – The Basic Constraint CA:TRUE is added to CSRs generated for the CA Result – The resulting CSR has appropriate constraints for a CA certificate
Clone Of: 1427798
Environment:
Last Closed: 2017-11-30 16:01:44 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:3319 normal SHIPPED_LIVE ipa bug fix update 2017-11-30 20:18:30 UTC

Description Oneata Mircea Teodor 2017-10-26 09:35:58 UTC
This bug has been copied from bug #1427798 and has been proposed to be backported to 7.4 z-stream (EUS).

Comment 2 Petr Vobornik 2017-10-27 15:40:52 UTC
4.5 backport: https://github.com/freeipa/freeipa/pull/1217

Comment 4 Mohammad Rizwan 2017-11-02 09:14:19 UTC
version:
ipa-server-4.5.0-22.el7_4.x86_64

steps:

1. Install master with selfsigned CA

2. Generate a csr to be signed by external CA 
       - ipa-cacert-manage renew --external-ca

3. Check for CA value in csr generated in 2
       - openssl req -in /var/lib/ipa/ca.csr -noout -text|grep CA

4. Sign the csr generated in 2 by external CA

5. Renew the CA with external CA cert and signed cert
       - ipa-cacert-manage renew --external-cert-file=/tmp/external.crt --external-cert-file=/tmp/ca_signing.crt

6. Check for CA value in signed cert and external cert

       - openssl x509 -in /tmp/external.crt -noout -text|grep CA
       - openssl x509 -in /tmp/ca_signing.crt -noout -text|grep CA

Expected result:
CA value should be TRUE

Actual result:

Master:

[root@master ~]# openssl req -in /var/lib/ipa/ca.csr -noout -text|grep CA
                CA:TRUE

[root@master ~]# openssl x509 -in /tmp/external.crt -noout -text|grep CA
        Issuer: O=EXTERNAL, CN=External CA
        Subject: O=EXTERNAL, CN=External CA
                87:1A:E8:60:0E:D6:0E:AF:E0:6A:A3:9B:BC:C5:16:2B:04:BF:72:CA
                CA:TRUE

[root@master ~]# openssl x509 -in /tmp/ca_signing.crt -noout -text|grep CA
        Issuer: O=EXTERNAL, CN=External CA
                5E:2D:24:D0:B9:DB:8A:18:D7:F0:D2:01:CA:74:E3:07:94:7F:5C:61
                keyid:87:1A:E8:60:0E:D6:0E:AF:E0:6A:A3:9B:BC:C5:16:2B:04:BF:72:CA
                CA:TRUE

Comment 5 Mohammad Rizwan 2017-11-02 09:20:08 UTC
Marking as verified as per comment#4

Comment 9 errata-xmlrpc 2017-11-30 16:01:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3319


Note You need to log in before you can comment on or make changes to this bug.