On 12/08/2017 01:08 PM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo,
On 12/8/17 10:52 AM, Florence Blanc-Renaud wrote:
Hi Harald,
the external CAs and FreeIPA CA must be stored in the LDAP server
(cn=certificates,cn=ipa,cn=etc,$BASEDN). The correct procedure to add
external CAs to the LDAP server is to run ipa-cacert-manage install.
ACK
You need first to have a clean state in the LDAP server. When all the
required CAs are stored in LDAP with the right trust attribute, you
can use ipa-certupdate to retrieve them and place them in the NSS
databases and /etc/ipa/ca.crt.
The ipa Servers ipa1 and ipa2 are in sync, as reported by
ipa-replica-manage
and ipa-csreplica-manage.
jxplorer shows me 3 certificates:
- the ipa ca certificate signed by the new root CA
- the old root CA certificate "cn=example Root CA, ..."
- the new root CA certificate "cn=root-CA, ..."
The old root CA certificate has much more attributes set than the
new one, esp. there is an attribute ipaKeyTrust set to "trusted",
and several other ipaKeyExtUsage attributes not set for the new
root CA certificate. Attached you can find the output of ldapsearch
for cn=certificates.
As you suggested, I used ipa-certupdate to deploy the new PKI, but
I wonder if the attributes for the new root CA certificate are set
correctly? Please note the "ipaKeyExtUsage: 1.3.6.1.4.1.3319.6.10.16"
set only for the new root CA cert.
Looking into the old and new root CA certs I see very similar x509v3
extensions. Do you think the new root certificate could be bad
internally?
If some certificates are manually added to the NSS databases but not
present in the LDAP server, the next call to ipa-certupdate will
remove them, this is why the state is not persistent.
I highly appreciate this central location.
If you want to completely remove an old root CA, you need to delete it
from the LDAP server otherwise it will return on next call to
ipa-certupdate.
AFAIU it is necessary to fix the attributes of the new root CA
certificate entry in LDAP first. Would you recommend to set the
lost ipaKeyExtUsage attributes?
Hi,
I would try to remove the new root CA from LDAP and re-import it using
ipa-cacert-manage install -t C,,
This should create the entry with the appropriate attributes.
Flo
Regards
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
