RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 828866 - [RFE] enhance --subject option for ipa-server-install
Summary: [RFE] enhance --subject option for ipa-server-install
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Abhijeet Kasurde
URL:
Whiteboard:
: 1283602 (view as bug list)
Depends On:
Blocks: 1396494 1399979
TreeView+ depends on / blocked
 
Reported: 2012-06-05 13:42 UTC by Dmitri Pal
Modified: 2020-09-10 09:16 UTC (History)
14 users (show)

Fixed In Version: ipa-4.5.0-1.el7
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:37:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Proposed patch (PoC) to add --subject_cn and --subject_mail options to ipa-server-install (29.87 KB, patch)
2016-07-05 19:29 UTC, Sebastian Hetze 		no flags Details | Diff
console.log (13.24 KB, text/plain)
2017-05-22 12:06 UTC, Abhijeet Kasurde 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Dmitri Pal 2012-06-05 13:42:17 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2614

Currently the --subject option for ipa-server-install only allows you to add other attributes (e.g. O, OU, C) to the existing CN=Certificate Authority for the IPA CA. In some OSs, certificate authorities are only listed by CN (instead of other attributes in the DN), thus the rather bare entry of "Certificate Authority". In older versions of IPA, there was at least the realm added before such that you had EXAMPLE.COM Certificate Authority. It would be nice to be able to at a minimum return to this behavior, or, even better, be able to set the entire subject including the CN itself such that you would include the organization name in the CN.
Comment 2 Petr Vobornik 2016-01-29 14:02:16 UTC 
*** Bug 1283602 has been marked as a duplicate of this bug. ***
Comment 3 Sebastian Hetze 2016-07-05 19:29:23 UTC 
Created attachment 1176656 [details]
Proposed patch (PoC) to add --subject_cn and --subject_mail options to ipa-server-install

This patch replaces all hardcoded "Certificate Authority" settings for the CA Cert subject with an optional subject_cn and even an additional subject_mail as RDN.

The patch also extends the ipaGuiConfig OC with ipaCertificateSubjectRdn attribute to keep track of this new setting.

This patch is certainly not perfect and has only been tested in a limited number of use cases. However, it should be a viable starting point for productizing this new feature.
Comment 4 Sebastian Hetze 2016-07-11 07:55:55 UTC 
A clarification regarding requirements and use case:

3. What is the nature and description of the request?

Currently, the subject for a IPA generated CA cert is built of two components,
a subject base DN (subject_base) and a static common name: 'CN=Certificate
Authority'. While the subject_base is customizable via a command line option to
ipa-server-install, the common name is hard coded into the installer.

It is required to have the common name component of the subject DN
customizable. In addition, it is required to allow an additional and optional
emailAddress component prepended to the subject DN as most significant
component.

4. Why does the customer need this? (List the business requirements here)

The customer needs to integrate IPA into an existing chain of trust. The IPA
generated CA certificate needs to be signed by an superordinate PKI. To allow
the IPA CA cert to be signed by the superordinate PKI, it needs to meet certain
criteria, including a particular customer specific common name and an
additional emailAddress to clearly identify the subordinate CA.

The current hard coded common name does not meet the requirements and therefor
makes the integration of IPA into the existing PKI impossible. This in turn
leaves the Linux/Unix IT operations dependent from the superordinate PKI even
in cases, where creation of service certs could perfectly be delegated to this
Linux/Unix IT Ops in accordance to existing compliance rules and operational
processes.

5. How would the customer like to achieve this? (List the functional requirements here)

The customer would like to get options to customize the common name and add an
email address to the CA cert subject upon creation with ipa-server-install --external-ca.

6. For each functional requirement listed in question 5, specify how Red Hat
and the customer can test to confirm the requirement is successfully implemented.

The new feature (option) must result in a CA cert CSR with subject line like
/usr/lib64/nss/unsupported-tools/pp -t cr -a -i /root/ipa.csr|grep Subject:
 Subject: E=caadmin,CN=Custom CA Name,OU=Example IT,O=Example Corp,L=City,ST=State,C=US
openssl req -text -noout -in /root/ipa.csr |grep Subject:
 Subject: C=US,ST=State,L=City,O=Example Corp,OU=Example IT,CN=Custom CA Name/emailAddress=caadmin

This IPA CA CSR must be signable by an Active Directory PKI and that signed
certificate must be usable to proceed with the IPA server installation.  In
particular, IPA must be able to provide and accept the canonical order of
subject attributes with emailAddress as most significant attribute, like shown
in the example above.
Comment 10 Petr Vobornik 2016-11-16 20:33:34 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6455
Comment 11 Jan Cholasta 2017-01-11 14:23:46 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/324183cd63aeadbaa9678d610ba59e1295a606fe
https://fedorahosted.org/freeipa/changeset/db6674096c598918ea6b12ca33a96cf5e617a434
https://fedorahosted.org/freeipa/changeset/c6db493b06320455a2366945911939a605df2a73
https://fedorahosted.org/freeipa/changeset/6f3eb85c302f54bec561337e6627c89144b589ff
https://fedorahosted.org/freeipa/changeset/46bf0e89ae054b34adc66d08f205a5155e6f3fd6
https://fedorahosted.org/freeipa/changeset/f54df62abae4a15064bf297634558eb9be83ce33
https://fedorahosted.org/freeipa/changeset/09a65df6842411d42966111e50924df3de0b7031
https://fedorahosted.org/freeipa/changeset/3d01ec14c6e36fa962d0c54b2e08df0ecd401bd6
https://fedorahosted.org/freeipa/changeset/3f5660973251fe4b178e6486b6b86fbdd162d4d6
https://fedorahosted.org/freeipa/changeset/0c95a00147b1dd508736dacc847873ddddafb504
Comment 12 Jan Cholasta 2017-01-31 06:13:29 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/87400cdec1054971f50f90a0c63f18ab045f3833
Comment 17 Abhijeet Kasurde 2017-05-22 11:58:09 UTC 
Verified using IPA version :: ipa-server-4.5.0-13.el7.x86_64

Marking BZ as verified. 

See attachment for console.log.
Comment 18 Abhijeet Kasurde 2017-05-22 12:06:39 UTC 
Created attachment 1281012 [details]
console.log
Comment 19 Martin Kosek 2017-05-26 09:39:30 UTC 
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:
https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available

The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html

IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!
Comment 20 errata-xmlrpc 2017-08-01 09:37:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.