Hello Alexander, This is the RootCA certificate, i use :
Certificate: Data: Version: 3 (0x2) Serial Number: 0a:[...] Signature Algorithm: sha512WithRSAEncryption Issuer: C = FR, ST = France, L = [...], O = [...], OU = [...], CN = ROOT-CA, emailAddress = [...] Validity Not Before: May 7 12:30:59 2023 GMT Not After : May 4 12:30:59 2033 GMT Subject: C = FR, ST = France, L = [...], O = [...], OU = [...], CN = ROOT-CA, emailAddress = [...] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:[...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 57:[...] X509v3 Authority Key Identifier: keyid:57:[...] DirName:/C=FR/ST=France/L=[...]/O=[...]/OU=[...]/CN=ROOT-CA/emailAddress=[...] serial:0A:[...] X509v3 Basic Constraints: critical CA:TRUE Netscape Cert Type: S/MIME CA, Object Signing CA X509v3 Issuer Alternative Name: <EMPTY> Netscape Comment: ROOT-CA X509v3 Subject Alternative Name: email:[...] X509v3 Key Usage: critical Certificate Sign, CRL Sign Signature Algorithm: sha512WithRSAEncryption Signature Value: 57:[...] I hope this can help you. Best regards, Joseph KERVELLEC -----Message d'origine----- De : Alexander Bokovoy <aboko...@redhat.com> Envoyé : mercredi 22 novembre 2023 14:42 À : FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc : BRULE Yann <yann.br...@pm.gouv.fr>; DUCOT Vincent <vincent.du...@pm.gouv.fr>; KERVELLEC Joseph <joseph.kervel...@pm.gouv.fr> Objet : Re: [Freeipa-users] Install FreeIPA with own CA and SUBCA On Срд, 22 ліс 2023, KERVELLEC Joseph via FreeIPA-users wrote: >Hello, > >I am trying to install FreeIPA with my own CA and certutil reject my >RootCA (Certificate type not approuved for application). > >The issue is when certutil verifies the RootCA with the certusage SSL >CA (option -u L). My rootCA does not include sslCA in nsscertype. > >There is a way to install FreeIPA and change the certutil verification >(option -u to A instead of L) ? > >I have tried multpile install: >- FreeIPA with all certificates (httpd, dirsrv, kerberos), reject me > with 'Certificate type not approuved for application' >- FreeIPA with external-ca and update the subject, reject me with the > emailAddress object >- FreeIPA with no certificate options and added my ROOTCA with > ipa-ca-install, reject me with 'Certificate type not approuved for > application' Can you please provide an output from 'openssl x509 -text' command for your CA certificate? Something like the output below: # openssl x509 -text -in /etc/ipa/ca.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: O = IPA1.TEST, CN = Certificate Authority Validity Not Before: Nov 17 09:41:07 2023 GMT Not After : Nov 17 09:41:07 2043 GMT Subject: O = IPA1.TEST, CN = Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (3072 bit) Modulus: 00:b6:c4:e0:7c:9d:98:ea:84:ec:b0:80:a8:91:d5: b6:81:7a:e7:da:b2:04:a2:93:32:bf:78:56:9a:46: 17:7e:26:4f:f1:64:81:87:c0:32:1b:82:2d:4b:db: d7:df:72:9f:79:6f:d7:49:1c:19:67:ba:c5:2b:de: e0:b9:30:24:2b:32:5d:10:7e:a5:1f:d1:4d:5e:c2: 20:42:02:65:b9:df:bc:6a:24:98:70:1c:13:2b:1e: 61:0c:a0:46:28:b2:c9:f9:71:f1:c3:b3:cb:58:44: ef:dd:5f:42:48:b1:df:6b:0b:4c:ef:c6:5e:c4:61: 1f:23:de:17:f5:4e:f4:44:b9:05:4f:32:cf:8d:f8: 23:be:23:37:7c:ba:5a:63:14:30:84:aa:eb:3c:98: 6f:76:56:55:c9:70:c6:8b:8f:76:f4:f0:ba:a8:3c: 0e:ad:10:f0:a0:3a:dd:ae:fd:39:e2:88:0d:d8:62: ca:b9:04:37:dd:80:c7:56:f0:86:32:9c:ba:4b:2e: d0:58:85:4d:17:56:5f:18:30:a1:45:60:5a:cd:a3: 4c:5d:bf:df:74:6b:28:7a:f2:f1:c5:3d:0a:92:1b: a5:10:cb:5b:c0:37:e5:68:3f:7b:92:a9:43:98:3f: 73:27:ad:92:75:00:2f:b9:0f:38:4a:e3:ce:2e:a3: ad:17:74:5c:6a:91:1a:16:4c:35:95:08:21:e4:41: fb:c1:b3:f9:1f:fe:4f:ff:77:d9:af:43:34:7c:fb: 8c:20:8e:c9:46:8e:b7:13:1f:11:da:d5:b3:6a:75: 0b:ce:9d:17:0a:f2:15:e8:1d:f9:97:cb:98:2d:5a: d4:62:6b:6e:3d:2f:2d:44:89:f7:12:56:31:4e:54: d3:59:79:c4:e3:00:2a:e6:97:cb:57:f3:ba:34:7c: 65:67:5c:f6:1d:db:94:f8:56:13:e2:f6:be:5e:3f: 32:b5:56:3e:1f:79:4a:eb:0e:61:4f:fe:04:e5:3b: 5e:32:56:47:1e:2e:b2:b3:1b:3b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: 33:6B:18:3D:65:BC:54:CF:3D:C0:25:21:FF:B9:BD:A3:17:FB:DE:BF X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 33:6B:18:3D:65:BC:54:CF:3D:C0:25:21:FF:B9:BD:A3:17:FB:DE:BF Authority Information Access: OCSP - URI:http://ipa-ca.ipa1.test/ca/ocsp Signature Algorithm: sha256WithRSAEncryption Signature Value: 4f:2b:db:0e:7c:0c:e8:fd:68:3d:5d:f2:bc:5b:f2:68:56:ae: 8d:38:88:a6:cc:c6:24:ff:c3:68:26:41:4c:cc:c8:b6:c9:40: 83:56:d1:71:9f:9c:95:3c:ae:95:23:e9:0f:72:e7:51:a7:b5: 03:22:1a:56:04:ca:ab:2b:72:bc:0d:40:bf:0e:11:c7:49:05: f0:82:60:dd:4b:80:e9:f8:2c:5e:d5:98:c7:71:d1:48:6c:c8: 3a:da:78:85:4a:49:43:26:95:53:18:43:28:28:fa:26:05:e8: 9a:cc:f1:04:fa:60:7b:59:7f:f3:3f:d3:35:03:7c:f5:c0:d8: 89:ba:9d:ea:11:0d:08:48:95:1d:c8:25:2a:ae:dc:91:6e:a9: d3:e8:77:dd:ce:14:42:d7:85:9b:dc:26:b7:0a:04:ca:de:db: 4a:29:5c:10:8f:10:1d:7a:ed:cd:e7:7f:9c:2b:62:2b:58:f4: 99:40:b4:3c:58:6f:4e:38:b0:79:59:9d:aa:b6:c8:d6:ea:73: f7:c2:6e:d5:63:09:53:3b:f3:1e:68:44:4b:52:58:00:46:66: 2f:54:a1:20:dd:84:5b:fc:d9:7c:49:01:f3:43:a0:69:de:19: 1b:b1:1d:ae:14:67:b3:06:b3:f7:5f:b1:4a:f5:b4:f5:49:f5: 7c:08:80:42:0c:9d:c4:01:c2:68:89:c2:ee:64:35:6e:21:5a: c6:5a:7a:c9:f3:44:cb:66:2a:ca:80:a3:7d:75:71:2b:85:ab: 71:d1:01:73:24:d4:f3:ce:85:34:e8:e2:60:78:53:8b:0d:5a: 47:85:83:1b:25:de:7f:75:75:c5:d6:27:15:1d:a8:2c:c0:34: ea:74:d4:9b:d5:06:d1:f5:59:35:10:ad:e1:b7:74:07:35:23: 82:f5:ac:81:7c:a9:27:6e:c0:58:42:70:94:b6:b4:c5:c8:fa: 88:87:ca:e3:5a:11:15:0c:2f:a9:81:53:d4:93:d0:39:d5:da: 26:4e:14:4b:26:68 -----BEGIN CERTIFICATE----- MIIEhTCCAu2gAwIBAgIBATANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEx LlRFU1QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMzExMTcw OTQxMDdaFw00MzExMTcwOTQxMDdaMDQxEjAQBgNVBAoMCUlQQTEuVEVTVDEeMBwG A1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBojANBgkqhkiG9w0BAQEFAAOC AY8AMIIBigKCAYEAtsTgfJ2Y6oTssICokdW2gXrn2rIEopMyv3hWmkYXfiZP8WSB h8AyG4ItS9vX33KfeW/XSRwZZ7rFK97guTAkKzJdEH6lH9FNXsIgQgJlud+8aiSY cBwTKx5hDKBGKLLJ+XHxw7PLWETv3V9CSLHfawtM78ZexGEfI94X9U70RLkFTzLP jfgjviM3fLpaYxQwhKrrPJhvdlZVyXDGi4929PC6qDwOrRDwoDrdrv054ogN2GLK uQQ33YDHVvCGMpy6Sy7QWIVNF1ZfGDChRWBazaNMXb/fdGsoevLxxT0KkhulEMtb wDflaD97kqlDmD9zJ62SdQAvuQ84SuPOLqOtF3RcapEaFkw1lQgh5EH7wbP5H/5P /3fZr0M0fPuMII7JRo63Ex8R2tWzanULzp0XCvIV6B35l8uYLVrUYmtuPS8tRIn3 ElYxTlTTWXnE4wAq5pfLV/O6NHxlZ1z2HduU+FYT4va+Xj8ytVY+H3lK6w5hT/4E 5TteMlZHHi6ysxs7AgMBAAGjgaEwgZ4wHwYDVR0jBBgwFoAUM2sYPWW8VM89wCUh /7m9oxf73r8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0O BBYEFDNrGD1lvFTPPcAlIf+5vaMX+96/MDsGCCsGAQUFBwEBBC8wLTArBggrBgEF BQcwAYYfaHR0cDovL2lwYS1jYS5pcGExLnRlc3QvY2Evb2NzcDANBgkqhkiG9w0B AQsFAAOCAYEATyvbDnwM6P1oPV3yvFvyaFaujTiIpszGJP/DaCZBTMzItslAg1bR cZ+clTyulSPpD3LnUae1AyIaVgTKqytyvA1Avw4Rx0kF8IJg3UuA6fgsXtWYx3HR SGzIOtp4hUpJQyaVUxhDKCj6JgXomszxBPpge1l/8z/TNQN89cDYibqd6hENCEiV HcglKq7ckW6p0+h33c4UQteFm9wmtwoEyt7bSilcEI8QHXrtzed/nCtiK1j0mUC0 PFhvTjiweVmdqrbI1upz98Ju1WMJUzvzHmhES1JYAEZmL1ShIN2EW/zZfEkB80Og ad4ZG7EdrhRnswaz91+xSvW09Un1fAiAQgydxAHCaInC7mQ1biFaxlp6yfNEy2Yq yoCjfXVxK4WrcdEBcyTU886FNOjiYHhTiw1aR4WDGyXef3V1xdYnFR2oLMA06nTU m9UG0fVZNRCt4bd0BzUjgvWsgXypJ27AWEJwlLa0xcj6iIfK41oRFQwvqYFT1JPQ OdXaJk4USyZo -----END CERTIFICATE----- -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue