Bug 828866 - [RFE] enhance --subject option for ipa-server-install
Summary: [RFE] enhance --subject option for ipa-server-install
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Abhijeet Kasurde
: 1283602 (view as bug list)
Depends On:
Blocks: 1396494 1399979
TreeView+ depends on / blocked
Reported: 2012-06-05 13:42 UTC by Dmitri Pal
Modified: 2019-09-12 07:41 UTC (History)
14 users (show)

Fixed In Version: ipa-4.5.0-1.el7
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2017-08-01 09:37:23 UTC
Target Upstream Version:

Attachments (Terms of Use)
Proposed patch (PoC) to add --subject_cn and --subject_mail options to ipa-server-install (29.87 KB, patch)
2016-07-05 19:29 UTC, Sebastian Hetze
no flags Details | Diff
console.log (13.24 KB, text/plain)
2017-05-22 12:06 UTC, Abhijeet Kasurde
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Dmitri Pal 2012-06-05 13:42:17 UTC
This bug is created as a clone of upstream ticket:

Currently the --subject option for ipa-server-install only allows you to add other attributes (e.g. O, OU, C) to the existing CN=Certificate Authority for the IPA CA. In some OSs, certificate authorities are only listed by CN (instead of other attributes in the DN), thus the rather bare entry of "Certificate Authority". In older versions of IPA, there was at least the realm added before such that you had EXAMPLE.COM Certificate Authority. It would be nice to be able to at a minimum return to this behavior, or, even better, be able to set the entire subject including the CN itself such that you would include the organization name in the CN.

Comment 2 Petr Vobornik 2016-01-29 14:02:16 UTC
*** Bug 1283602 has been marked as a duplicate of this bug. ***

Comment 3 Sebastian Hetze 2016-07-05 19:29:23 UTC
Created attachment 1176656 [details]
Proposed patch (PoC) to add --subject_cn and --subject_mail options to ipa-server-install

This patch replaces all hardcoded "Certificate Authority" settings for the CA Cert subject with an optional subject_cn and even an additional subject_mail as RDN.

The patch also extends the ipaGuiConfig OC with ipaCertificateSubjectRdn attribute to keep track of this new setting.

This patch is certainly not perfect and has only been tested in a limited number of use cases. However, it should be a viable starting point for productizing this new feature.

Comment 4 Sebastian Hetze 2016-07-11 07:55:55 UTC
A clarification regarding requirements and use case:

3. What is the nature and description of the request?

Currently, the subject for a IPA generated CA cert is built of two components,
a subject base DN (subject_base) and a static common name: 'CN=Certificate
Authority'. While the subject_base is customizable via a command line option to
ipa-server-install, the common name is hard coded into the installer.

It is required to have the common name component of the subject DN
customizable. In addition, it is required to allow an additional and optional
emailAddress component prepended to the subject DN as most significant

4. Why does the customer need this? (List the business requirements here)

The customer needs to integrate IPA into an existing chain of trust. The IPA
generated CA certificate needs to be signed by an superordinate PKI. To allow
the IPA CA cert to be signed by the superordinate PKI, it needs to meet certain
criteria, including a particular customer specific common name and an
additional emailAddress to clearly identify the subordinate CA.

The current hard coded common name does not meet the requirements and therefor
makes the integration of IPA into the existing PKI impossible. This in turn
leaves the Linux/Unix IT operations dependent from the superordinate PKI even
in cases, where creation of service certs could perfectly be delegated to this
Linux/Unix IT Ops in accordance to existing compliance rules and operational

5. How would the customer like to achieve this? (List the functional requirements here)

The customer would like to get options to customize the common name and add an
email address to the CA cert subject upon creation with ipa-server-install --external-ca.

6. For each functional requirement listed in question 5, specify how Red Hat
and the customer can test to confirm the requirement is successfully implemented.

The new feature (option) must result in a CA cert CSR with subject line like
/usr/lib64/nss/unsupported-tools/pp -t cr -a -i /root/ipa.csr|grep Subject:
 Subject: E=caadmin@example.com,CN=Custom CA Name,OU=Example IT,O=Example Corp,L=City,ST=State,C=US
openssl req -text -noout -in /root/ipa.csr |grep Subject:
 Subject: C=US,ST=State,L=City,O=Example Corp,OU=Example IT,CN=Custom CA Name/emailAddress=caadmin@example.com

This IPA CA CSR must be signable by an Active Directory PKI and that signed
certificate must be usable to proceed with the IPA server installation.  In
particular, IPA must be able to provide and accept the canonical order of
subject attributes with emailAddress as most significant attribute, like shown
in the example above.

Comment 10 Petr Vobornik 2016-11-16 20:33:34 UTC
Upstream ticket:

Comment 12 Jan Cholasta 2017-01-31 06:13:29 UTC
Fixed upstream

Comment 17 Abhijeet Kasurde 2017-05-22 11:58:09 UTC
Verified using IPA version :: ipa-server-4.5.0-13.el7.x86_64

Marking BZ as verified. 

See attachment for console.log.

Comment 18 Abhijeet Kasurde 2017-05-22 12:06:39 UTC
Created attachment 1281012 [details]

Comment 19 Martin Kosek 2017-05-26 09:39:30 UTC
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:

The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:

IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!

Comment 20 errata-xmlrpc 2017-08-01 09:37:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.