On Sat, Dec 12, 2020 at 05:49:53PM -0000, Khurrum Maqb via FreeIPA-users wrote: > I got it resolved - IPA does not seem to support importing a > rechained external CA. It doesn't seem to have anything to do with > ipaCertSubject being unique but it's something else where there > are two different chains for the same external CA. > > I was able to ldapdelete the old problematic certs from ldap> etc > > ipa > certificates. And then I was able to successfully run the > > ipa-advise script for adding the CA certs. This time > > ipa-cacert-manage worked without throwing the public key info > > mismatch error. > > And then I ran ipa-certupdate on all Ipa servers, and clients that > required smartcard auth. And it seemed to work fine for the new > certs. Unfortunately, this likely means that the cards with the > old chain will stop working but they are in the small minority and > we'll likely have to get them new cards signed by the external CA > with the new chain. > > I would like to suggest that the ability to rechain and have two > different chains for the same external CA be added to FreeIPA. > It's likely a rare situation but it happens.
Thanks for the report Khurrum. Glad you were able to sort it out. Rob, Flo: this is old validation code (commit de695e688e, 2014) and probably an oversight. We should investigate whether anything breaks when superior certs in the IPA CA chain get rekeyed. If nothing breaks, we should remove the SubjectPublicKeyInfo check. Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
