Hello Alexander,
This is the RootCA certificate, i use :
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0a:[...]
Signature Algorithm: sha512WithRSAEncryption
Issuer: C = FR, ST = France, L = [...], O = [...], OU = [...], CN =
ROOT-CA, emailAddress = [...]
Validity
Not Before: May 7 12:30:59 2023 GMT
Not After : May 4 12:30:59 2033 GMT
Subject: C = FR, ST = France, L = [...], O = [...], OU = [...], CN =
ROOT-CA, emailAddress = [...]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
57:[...]
X509v3 Authority Key Identifier:
keyid:57:[...]
DirName:/C=FR/ST=France/L=[...]/O=[...]/OU=[...]/CN=ROOT-CA/emailAddress=[...]
serial:0A:[...]
X509v3 Basic Constraints: critical
CA:TRUE
Netscape Cert Type:
S/MIME CA, Object Signing CA
X509v3 Issuer Alternative Name:
<EMPTY>
Netscape Comment:
ROOT-CA
X509v3 Subject Alternative Name:
email:[...]
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha512WithRSAEncryption
Signature Value:
57:[...]
I hope this can help you.
Best regards,
Joseph KERVELLEC
-----Message d'origine-----
De : Alexander Bokovoy <aboko...@redhat.com>
Envoyé : mercredi 22 novembre 2023 14:42
À : FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc : BRULE Yann <yann.br...@pm.gouv.fr>; DUCOT Vincent
<vincent.du...@pm.gouv.fr>; KERVELLEC Joseph <joseph.kervel...@pm.gouv.fr>
Objet : Re: [Freeipa-users] Install FreeIPA with own CA and SUBCA
On Срд, 22 ліс 2023, KERVELLEC Joseph via FreeIPA-users wrote:
>Hello,
>
>I am trying to install FreeIPA with my own CA and certutil reject my
>RootCA (Certificate type not approuved for application).
>
>The issue is when certutil verifies the RootCA with the certusage SSL
>CA (option -u L). My rootCA does not include sslCA in nsscertype.
>
>There is a way to install FreeIPA and change the certutil verification
>(option -u to A instead of L) ?
>
>I have tried multpile install:
>- FreeIPA with all certificates (httpd, dirsrv, kerberos), reject me
> with 'Certificate type not approuved for application'
>- FreeIPA with external-ca and update the subject, reject me with the
> emailAddress object
>- FreeIPA with no certificate options and added my ROOTCA with
> ipa-ca-install, reject me with 'Certificate type not approuved for
> application'
Can you please provide an output from 'openssl x509 -text' command for your CA
certificate?
Something like the output below:
# openssl x509 -text -in /etc/ipa/ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = IPA1.TEST, CN = Certificate Authority
Validity
Not Before: Nov 17 09:41:07 2023 GMT
Not After : Nov 17 09:41:07 2043 GMT
Subject: O = IPA1.TEST, CN = Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (3072 bit)
Modulus:
00:b6:c4:e0:7c:9d:98:ea:84:ec:b0:80:a8:91:d5:
b6:81:7a:e7:da:b2:04:a2:93:32:bf:78:56:9a:46:
17:7e:26:4f:f1:64:81:87:c0:32:1b:82:2d:4b:db:
d7:df:72:9f:79:6f:d7:49:1c:19:67:ba:c5:2b:de:
e0:b9:30:24:2b:32:5d:10:7e:a5:1f:d1:4d:5e:c2:
20:42:02:65:b9:df:bc:6a:24:98:70:1c:13:2b:1e:
61:0c:a0:46:28:b2:c9:f9:71:f1:c3:b3:cb:58:44:
ef:dd:5f:42:48:b1:df:6b:0b:4c:ef:c6:5e:c4:61:
1f:23:de:17:f5:4e:f4:44:b9:05:4f:32:cf:8d:f8:
23:be:23:37:7c:ba:5a:63:14:30:84:aa:eb:3c:98:
6f:76:56:55:c9:70:c6:8b:8f:76:f4:f0:ba:a8:3c:
0e:ad:10:f0:a0:3a:dd:ae:fd:39:e2:88:0d:d8:62:
ca:b9:04:37:dd:80:c7:56:f0:86:32:9c:ba:4b:2e:
d0:58:85:4d:17:56:5f:18:30:a1:45:60:5a:cd:a3:
4c:5d:bf:df:74:6b:28:7a:f2:f1:c5:3d:0a:92:1b:
a5:10:cb:5b:c0:37:e5:68:3f:7b:92:a9:43:98:3f:
73:27:ad:92:75:00:2f:b9:0f:38:4a:e3:ce:2e:a3:
ad:17:74:5c:6a:91:1a:16:4c:35:95:08:21:e4:41:
fb:c1:b3:f9:1f:fe:4f:ff:77:d9:af:43:34:7c:fb:
8c:20:8e:c9:46:8e:b7:13:1f:11:da:d5:b3:6a:75:
0b:ce:9d:17:0a:f2:15:e8:1d:f9:97:cb:98:2d:5a:
d4:62:6b:6e:3d:2f:2d:44:89:f7:12:56:31:4e:54:
d3:59:79:c4:e3:00:2a:e6:97:cb:57:f3:ba:34:7c:
65:67:5c:f6:1d:db:94:f8:56:13:e2:f6:be:5e:3f:
32:b5:56:3e:1f:79:4a:eb:0e:61:4f:fe:04:e5:3b:
5e:32:56:47:1e:2e:b2:b3:1b:3b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
33:6B:18:3D:65:BC:54:CF:3D:C0:25:21:FF:B9:BD:A3:17:FB:DE:BF
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
33:6B:18:3D:65:BC:54:CF:3D:C0:25:21:FF:B9:BD:A3:17:FB:DE:BF
Authority Information Access:
OCSP - URI:http://ipa-ca.ipa1.test/ca/ocsp
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
4f:2b:db:0e:7c:0c:e8:fd:68:3d:5d:f2:bc:5b:f2:68:56:ae:
8d:38:88:a6:cc:c6:24:ff:c3:68:26:41:4c:cc:c8:b6:c9:40:
83:56:d1:71:9f:9c:95:3c:ae:95:23:e9:0f:72:e7:51:a7:b5:
03:22:1a:56:04:ca:ab:2b:72:bc:0d:40:bf:0e:11:c7:49:05:
f0:82:60:dd:4b:80:e9:f8:2c:5e:d5:98:c7:71:d1:48:6c:c8:
3a:da:78:85:4a:49:43:26:95:53:18:43:28:28:fa:26:05:e8:
9a:cc:f1:04:fa:60:7b:59:7f:f3:3f:d3:35:03:7c:f5:c0:d8:
89:ba:9d:ea:11:0d:08:48:95:1d:c8:25:2a:ae:dc:91:6e:a9:
d3:e8:77:dd:ce:14:42:d7:85:9b:dc:26:b7:0a:04:ca:de:db:
4a:29:5c:10:8f:10:1d:7a:ed:cd:e7:7f:9c:2b:62:2b:58:f4:
99:40:b4:3c:58:6f:4e:38:b0:79:59:9d:aa:b6:c8:d6:ea:73:
f7:c2:6e:d5:63:09:53:3b:f3:1e:68:44:4b:52:58:00:46:66:
2f:54:a1:20:dd:84:5b:fc:d9:7c:49:01:f3:43:a0:69:de:19:
1b:b1:1d:ae:14:67:b3:06:b3:f7:5f:b1:4a:f5:b4:f5:49:f5:
7c:08:80:42:0c:9d:c4:01:c2:68:89:c2:ee:64:35:6e:21:5a:
c6:5a:7a:c9:f3:44:cb:66:2a:ca:80:a3:7d:75:71:2b:85:ab:
71:d1:01:73:24:d4:f3:ce:85:34:e8:e2:60:78:53:8b:0d:5a:
47:85:83:1b:25:de:7f:75:75:c5:d6:27:15:1d:a8:2c:c0:34:
ea:74:d4:9b:d5:06:d1:f5:59:35:10:ad:e1:b7:74:07:35:23:
82:f5:ac:81:7c:a9:27:6e:c0:58:42:70:94:b6:b4:c5:c8:fa:
88:87:ca:e3:5a:11:15:0c:2f:a9:81:53:d4:93:d0:39:d5:da:
26:4e:14:4b:26:68
-----BEGIN CERTIFICATE-----
MIIEhTCCAu2gAwIBAgIBATANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEx
LlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMzExMTcw
OTQxMDdaFw00MzExMTcwOTQxMDdaMDQxEjAQBgNVBAoMCUlQQTEuVEVTVDEeMBwG
A1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBojANBgkqhkiG9w0BAQEFAAOC
AY8AMIIBigKCAYEAtsTgfJ2Y6oTssICokdW2gXrn2rIEopMyv3hWmkYXfiZP8WSB
h8AyG4ItS9vX33KfeW/XSRwZZ7rFK97guTAkKzJdEH6lH9FNXsIgQgJlud+8aiSY
cBwTKx5hDKBGKLLJ+XHxw7PLWETv3V9CSLHfawtM78ZexGEfI94X9U70RLkFTzLP
jfgjviM3fLpaYxQwhKrrPJhvdlZVyXDGi4929PC6qDwOrRDwoDrdrv054ogN2GLK
uQQ33YDHVvCGMpy6Sy7QWIVNF1ZfGDChRWBazaNMXb/fdGsoevLxxT0KkhulEMtb
wDflaD97kqlDmD9zJ62SdQAvuQ84SuPOLqOtF3RcapEaFkw1lQgh5EH7wbP5H/5P
/3fZr0M0fPuMII7JRo63Ex8R2tWzanULzp0XCvIV6B35l8uYLVrUYmtuPS8tRIn3
ElYxTlTTWXnE4wAq5pfLV/O6NHxlZ1z2HduU+FYT4va+Xj8ytVY+H3lK6w5hT/4E
5TteMlZHHi6ysxs7AgMBAAGjgaEwgZ4wHwYDVR0jBBgwFoAUM2sYPWW8VM89wCUh
/7m9oxf73r8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0O
BBYEFDNrGD1lvFTPPcAlIf+5vaMX+96/MDsGCCsGAQUFBwEBBC8wLTArBggrBgEF
BQcwAYYfaHR0cDovL2lwYS1jYS5pcGExLnRlc3QvY2Evb2NzcDANBgkqhkiG9w0B
AQsFAAOCAYEATyvbDnwM6P1oPV3yvFvyaFaujTiIpszGJP/DaCZBTMzItslAg1bR
cZ+clTyulSPpD3LnUae1AyIaVgTKqytyvA1Avw4Rx0kF8IJg3UuA6fgsXtWYx3HR
SGzIOtp4hUpJQyaVUxhDKCj6JgXomszxBPpge1l/8z/TNQN89cDYibqd6hENCEiV
HcglKq7ckW6p0+h33c4UQteFm9wmtwoEyt7bSilcEI8QHXrtzed/nCtiK1j0mUC0
PFhvTjiweVmdqrbI1upz98Ju1WMJUzvzHmhES1JYAEZmL1ShIN2EW/zZfEkB80Og
ad4ZG7EdrhRnswaz91+xSvW09Un1fAiAQgydxAHCaInC7mQ1biFaxlp6yfNEy2Yq
yoCjfXVxK4WrcdEBcyTU886FNOjiYHhTiw1aR4WDGyXef3V1xdYnFR2oLMA06nTU
m9UG0fVZNRCt4bd0BzUjgvWsgXypJ27AWEJwlLa0xcj6iIfK41oRFQwvqYFT1JPQ
OdXaJk4USyZo
-----END CERTIFICATE-----
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
