[Freeipa-devel] Questions re. 3rd party certificates

Tue, 21 Jun 2016 02:03:57 -0700 

Hi,
I am working on the following issues and I have questions re. 3rd party certificates: - https://fedorahosted.org/freeipa/ticket/4785 ipa-server-certinstall tracks the 3rd party cert it installs with certmonger - https://fedorahosted.org/freeipa/ticket/4786 ipa-server-certinstall does not accept certs signed by 3rd party CAs 

First I would like to validate that my scenario is the correct one:

FreeIPA installed with an embedded CA. The customer now wants to use a 
different certificate for httpd and dirsrv, signed by a 3rd party CA. 
The steps to achieve this are:
1. run "ipa-cacert-manage install -t C,, <CAcert file>" to install the 
3rd party CA certificate. This step puts the CA certificate in the LDAP 
entry cn=certificates,cn=ipa,cn=etc,dc=...



2. run "ipa-certupdate" to retrieve the CA cert from LDAP and put it 
into /etc/ipa/nssdb /etc/dirsrv/sldapd-xxx and /etc/httpd/alias
Note that this command does not put the CA cert into 
/etc/pki/pki-tomcat/alias, is this expected? I had to perform this 
manually (otherwise tomcat won't restart later).


3. run "ipa-server-certinstall -d -w key.pem cert.pem"

This commands should stop tracking the previous cert, install the new 
one in /etc/dirsrv/slapd-xx (if -d is used) and /etc/httpd/alias (if -w 
is used), and track the new one only if signed by IPA CA. It also 
updates the attribute nssslpersonalityssl of the entry 
cn=rsa,cn=encryption,cn=config to contain the new cert nickname (for the 
dirsrv) and sets NSSNickname in /etc/httpd/conf.d/nss.conf (for httpd).


After those steps, I noticed that

- the entries 
krbprincipalname=HTTP/hostname@dom,cn=services,cn=accounts,dc=domain... 
and 
krbprincipalname=ldap/hostname@dom,cn=services,cn=accounts,dc=domain... 
are not updated: their attribute userCertificate still contains the old 
certificate.

Did I miss a manual step? Is it an issue?


- the new certificate nickname is not "Server-Cert" any more but rather 
the full subject (even if --cert-name was supplied to 
ipa-server-certinstall).

Can this cause issues?

Thanks for any input,
Flo.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code






















					Reply via email to