Bug 828866 - [RFE] enhance --subject option for ipa-server-install
[RFE] enhance --subject option for ipa-server-install
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Abhijeet Kasurde
: FutureFeature
: 1283602 (view as bug list)
Depends On:
Blocks: 1396494 1399979
  Show dependency treegraph
 
Reported: 2012-06-05 09:42 EDT by Dmitri Pal
Modified: 2017-08-01 05:37 EDT (History)
14 users (show)

See Also:
Fixed In Version: ipa-4.5.0-1.el7
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 05:37:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (PoC) to add --subject_cn and --subject_mail options to ipa-server-install (29.87 KB, patch)
2016-07-05 15:29 EDT, Sebastian Hetze
no flags Details | Diff
console.log (13.24 KB, text/plain)
2017-05-22 08:06 EDT, Abhijeet Kasurde
no flags Details

  None (edit)
Description Dmitri Pal 2012-06-05 09:42:17 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2614

Currently the --subject option for ipa-server-install only allows you to add other attributes (e.g. O, OU, C) to the existing CN=Certificate Authority for the IPA CA. In some OSs, certificate authorities are only listed by CN (instead of other attributes in the DN), thus the rather bare entry of "Certificate Authority". In older versions of IPA, there was at least the realm added before such that you had EXAMPLE.COM Certificate Authority. It would be nice to be able to at a minimum return to this behavior, or, even better, be able to set the entire subject including the CN itself such that you would include the organization name in the CN.
Comment 2 Petr Vobornik 2016-01-29 09:02:16 EST
*** Bug 1283602 has been marked as a duplicate of this bug. ***
Comment 3 Sebastian Hetze 2016-07-05 15:29 EDT
Created attachment 1176656 [details]
Proposed patch (PoC) to add --subject_cn and --subject_mail options to ipa-server-install

This patch replaces all hardcoded "Certificate Authority" settings for the CA Cert subject with an optional subject_cn and even an additional subject_mail as RDN.

The patch also extends the ipaGuiConfig OC with ipaCertificateSubjectRdn attribute to keep track of this new setting.

This patch is certainly not perfect and has only been tested in a limited number of use cases. However, it should be a viable starting point for productizing this new feature.
Comment 4 Sebastian Hetze 2016-07-11 03:55:55 EDT
A clarification regarding requirements and use case:

3. What is the nature and description of the request?

Currently, the subject for a IPA generated CA cert is built of two components,
a subject base DN (subject_base) and a static common name: 'CN=Certificate
Authority'. While the subject_base is customizable via a command line option to
ipa-server-install, the common name is hard coded into the installer.

It is required to have the common name component of the subject DN
customizable. In addition, it is required to allow an additional and optional
emailAddress component prepended to the subject DN as most significant
component.

4. Why does the customer need this? (List the business requirements here)

The customer needs to integrate IPA into an existing chain of trust. The IPA
generated CA certificate needs to be signed by an superordinate PKI. To allow
the IPA CA cert to be signed by the superordinate PKI, it needs to meet certain
criteria, including a particular customer specific common name and an
additional emailAddress to clearly identify the subordinate CA.

The current hard coded common name does not meet the requirements and therefor
makes the integration of IPA into the existing PKI impossible. This in turn
leaves the Linux/Unix IT operations dependent from the superordinate PKI even
in cases, where creation of service certs could perfectly be delegated to this
Linux/Unix IT Ops in accordance to existing compliance rules and operational
processes.

5. How would the customer like to achieve this? (List the functional requirements here)

The customer would like to get options to customize the common name and add an
email address to the CA cert subject upon creation with ipa-server-install --external-ca.

6. For each functional requirement listed in question 5, specify how Red Hat
and the customer can test to confirm the requirement is successfully implemented.

The new feature (option) must result in a CA cert CSR with subject line like
/usr/lib64/nss/unsupported-tools/pp -t cr -a -i /root/ipa.csr|grep Subject:
 Subject: E=caadmin@example.com,CN=Custom CA Name,OU=Example IT,O=Example Corp,L=City,ST=State,C=US
openssl req -text -noout -in /root/ipa.csr |grep Subject:
 Subject: C=US,ST=State,L=City,O=Example Corp,OU=Example IT,CN=Custom CA Name/emailAddress=caadmin@example.com

This IPA CA CSR must be signable by an Active Directory PKI and that signed
certificate must be usable to proceed with the IPA server installation.  In
particular, IPA must be able to provide and accept the canonical order of
subject attributes with emailAddress as most significant attribute, like shown
in the example above.
Comment 10 Petr Vobornik 2016-11-16 15:33:34 EST
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6455
Comment 12 Jan Cholasta 2017-01-31 01:13:29 EST
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/87400cdec1054971f50f90a0c63f18ab045f3833
Comment 17 Abhijeet Kasurde 2017-05-22 07:58:09 EDT
Verified using IPA version :: ipa-server-4.5.0-13.el7.x86_64

Marking BZ as verified. 

See attachment for console.log.
Comment 18 Abhijeet Kasurde 2017-05-22 08:06 EDT
Created attachment 1281012 [details]
console.log
Comment 19 Martin Kosek 2017-05-26 05:39:30 EDT
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:
https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available

The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html

IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!
Comment 20 errata-xmlrpc 2017-08-01 05:37:23 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304

Note You need to log in before you can comment on or make changes to this bug.