I found my error and got past this and completed the rest of the steps up to setting up the new server. Is there an easy way to test a certificate granted by their CA to see if it's now going to be accepted on a system where IPA's root CA certificate is present but their Root CA is not? I'd like to verify this before installing the new IPA CA for them.
-- Bret Wortman bret.wort...@damascusgrp.com On Tue, Feb 16, 2021, at 9:23 AM, Bret Wortman wrote: > Because the full CN is actually "damascusgrp.com DG Web Team Root CA", > does that complicate this or do I just need to find a way to add all > that as a host? > > > -- > Bret Wortman > bret.wort...@damascusgrp.com > > On Tue, Feb 16, 2021, at 8:06 AM, Bret Wortman wrote: > > I may well have messed this up, but here's what I've done: > > > > # ipa host-add --force damascusgrp.com > > ---------------------------- > > Added host "damascusgrp.com" > > ---------------------------- > > Host name: damascusgrp.com > > Principal name: host/damascusgrp....@damascusgrp.com > > Principal alias: host/damascusgrp....@damascusgrp.com > > Password: False > > Member of host-groups: allow_all_hosts > > Indirect Member of netgroup: allow_all_hosts > > Keytab: False > > Managed by: damascusgrp.com > > # ipa certprofile-show caIPAserviceCert --out SubCA.cfg > > ------------------------------------------------ > > Profile configuration stored in file "SubCA.cfg" > > ------------------------------------------------ > > Profile ID: caIPAserviceCert > > Profile description: Standard profile for network services > > Store issued certificates: TRUE > > # vim SubCA.cfg > > : > > profileId=damascusgrp.com > > : > > # ipa certprofile-import 'damascusgrp.com' --desc "Web Team CA" --file > > SubCA.cfg --store=1 > > ipa: ERROR: invalid 'id': invalid Profile ID > > > > > > -- > > Bret Wortman > > bret.wort...@damascusgrp.com > > > > On Tue, Feb 16, 2021, at 7:40 AM, Bret Wortman wrote: > > > Just to be clear, I'm going to follow the steps, but instead of setting > > > up sub.ipa.local, I'm going to instead use simply "damascusgrp.com", > > > yielding a principal named host/damascusgrp....@damascusgrp.com, right? > > > And then proceed through the rest of the steps. > > > > > > > > > -- > > > Bret Wortman > > > bret.wort...@damascusgrp.com > > > > > > On Tue, Feb 16, 2021, at 7:05 AM, Bret Wortman wrote: > > > > Okay, I'll give it a try. Thanks! > > > > > > > > > > > > -- > > > > Bret Wortman > > > > bret.wort...@damascusgrp.com > > > > > > > > On Tue, Feb 16, 2021, at 6:59 AM, Fraser Tweedale wrote: > > > > > On Tue, Feb 16, 2021 at 05:53:31AM -0500, Bret Wortman wrote: > > > > > > Fraser, > > > > > > > > > > > > It doesn't look like we fit the model. Our IPA CA's cert is as > > > > > > expected, but the other one is: > > > > > > > > > > > > $ openssl x509 -noout -in web-ca.crt -issuer issuer= > > > > > > /C=US/ST=VA/L=Fairfax/O=DG Web Team/OU=DG/CN=damascusgrp.com DG > > > > > > Web Team Root CA > > > > > > > > > > > > Since I don't see a hostname in there anywhere (and in fact, > > > > > > further conversations with this team turned up the fact that > > > > > > they're just creating these by hand using openssl commands rather > > > > > > than running any sort of service at all), I'm hesitant to just > > > > > > barge ahead and try to make it work on my own... > > > > > > > > > > The CN (damascusgrp.com) is a domain name. You can add a host > > > > > object with that name to FreeIPA. I think the procedure outlined in > > > > > the blog post should work for you. > > > > > > > > > > Cheers, > > > > > Fraser > > > > > > > > > > > > > > > > > -- > > > > > > Bret Wortman > > > > > > bret.wort...@damascusgrp.com > > > > > > > > > > > > On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote: > > > > > > > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via > > > > > > > FreeIPA-users wrote: > > > > > > > > We had a developer team deploy their own CA and then issue a > > > > > > > > slew > > > > > > > > of certificates for users' workstations and other servers, and > > > > > > > > now > > > > > > > > they want us to deploy those certificates more widely. I'd > > > > > > > > rather > > > > > > > > find a way to bring their CA under ours so that the root CA > > > > > > > > certificate we already distribute will make theirs "just work" > > > > > > > > rather than having to distribute another set of root CA > > > > > > > > certificates. > > > > > > > > > > > > > > > > Is this possible, or would they have to start over and build a > > > > > > > > subordinate CA from the ground up to make it work? If it's > > > > > > > > perhaps > > > > > > > > possible, under what circumstances? > > > > > > > > > > > > > > > Hi Bret, > > > > > > > > > > > > > > It is possible, but there are restrictions about what the sub-CAs > > > > > > > subject DN can be. Have a read of this blog post: > > > > > > > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html > > > > > > > > > > > > > > If your developer team's CA certificate does not fit those > > > > > > > requirements, please share the details of the certificate > > > > > > > (especially Subject DN) and I'll see if I can find a workaround. > > > > > > > > > > > > > > Cheers, > > > > > > > Fraser > > > > > > > > > > > > > > > > > > > > > > > Thanks! > > > > > > > > > > > > > > > > Bret > > > > > > > > _______________________________________________ > > > > > > > > FreeIPA-users mailing list -- > > > > > > > > freeipa-users@lists.fedorahosted.org > > > > > > > > To unsubscribe send an email to > > > > > > > > freeipa-users-le...@lists.fedorahosted.org > > > > > > > > Fedora Code of Conduct: > > > > > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > > > > > List Guidelines: > > > > > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > > > > List Archives: > > > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > > > Do not reply to spam on the list, report it: > > > > > > > > https://pagure.io/fedora-infrastructure > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure