This bug has been copied from bug #1755223 and has been proposed to be backported to 7.7 z-stream (EUS).
Fix is seen. Verified on RHEL7.7 [root@master]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.7 (Maipo) [root@master]# rpm -q ipa-server 389-ds-base krb5-server selinux-policy ipa-server-4.6.5-11.el7_7.3.x86_64 389-ds-base-1.3.9.1-10.el7.x86_64 krb5-server-1.15.1-37.el7_7.2.x86_64 selinux-policy-3.13.1-252.el7.1.noarch 1. certutil -d . -L before setting up sub-ca on master. [root@master alias]# hostname master.rhel77.test [root@master alias]# pwd /etc/pki/pki-tomcat/alias [root@master alias]# certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u 2. Setting up replica with setup ca [root@replica ~]# ipa-replica-install --setup-ca -w Secret123 -n rhel77.test --server=master.rhel77.test -r RHEL77.TEST --hostname replica.rhel77.test Done. Finalize replication settings Restarting the KDC 3. check replica-manage list [root@master alias]# ipa-replica-manage list replica.rhel77.test: master master.rhel77.test: master 4. Setting up sub-ca in ipa master and checking certutil output. [root@master alias]# ipa ca-add Name: subca Subject DN: CN=subca ------------------ Created CA "subca" ------------------ Name: subca Authority ID: cff68fa5-05a8-4d72-8f22-dff1f29135fd Subject DN: CN=subca Issuer DN: CN=Certificate Authority,O=RHEL77.TEST Certificate: MIIDZTCCAk2gAwIBAgIBDzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtSSEVMNzcuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTAwMzEyMjAxM1oXDTM5MTAwMzEyMjAxM1owEDEOMAwGA1UEAwwFc3ViY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT3HxxuUAOPDRAqD1GNOYuwLD4cibSLxSzaDk7/OHJvyfThyPIq+nzy/+LXV+/oye10kT6NVGvBJ4XBBkhSSrbdKnfze3aV+sjJADsYBdpGpnhnV0PYb8MlJoEDcd/JzGY5TWzVi8RHRFJgQRvke+pI/b7rPap4I3z9EEZiZ3ihz+e960Apnk6LuJNwa9ENVD199c/xuPtR33W8H7U+XyZ6x4v8z5Y6QkybWqCx1xM27N5hZjIh+m69uc16PieyqSVv7Z4rZmW2fnWJvXdsmJuyRfi+36yzX16AUr2AU5MVda/Xn4amuzU7O1DAn/bOt+0i3CIVb8o3AUUKXN24oXBAgMBAAGjgaMwgaAwHwYDVR0jBBgwFoAUj6/BrJBv2Hc4HpG7I0D3GkHrlokwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFMwnDJR5ZtNrNvPjuQSlmeA3Q2DnMD0GCCsGAQUFBwEBBDEwLzAtBggrBgEFBQcwAYYhaHR0cDovL2lwYS1jYS5yaGVsNzcudGVzdC9jYS9vY3NwMA0GCSqGSIb3DQEBCwUAA4IBAQApOHwSLCsf5nnqOjqU55bpcYIGeXM5jpV3GQyaO+mgoL66tGFr4K6NzYTGY5QP/VphwcHM9ebhK/rtdOkyQ1DClU5zDTj23J//jVFn6wWlax7EYojcMtb4RAg/QgVc+Tsa+Ttll1052k+zjmdzsyUJ0WFL2mEDaUVL30UbBw3fgk7CfZhvwxsu0OxeosGNj7y+Mz/4rkpSSSd/PUv7MdPrqHIfPd/QDFzyuFNi4OyY4SG0XvqStrX1agOepf5s+tOCC2dbY/CmAUQViC5QfJ8GwblAdAERmSGMpd/YWRKu2M8W7MpTEsOZqkDckxYY0/hUrZxohn9azloysV12o5Zd [root@master alias]# certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-ca cff68fa5-05a8-4d72-8f22-dff1f29135fd u,u,u ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u 5. Checking the entry in replica [root@replica ~]# cd /etc/pki/pki-tomcat/alias/ [root@replica alias]# certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-ca cff68fa5-05a8-4d72-8f22-dff1f29135fd u,u,u ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3070