Hi, On Mon, Mar 17, 2025 at 10:13 AM Raymond Spangle via FreeIPA-users < [email protected]> wrote:
> Florence Blanc-Renaud wrote: > > Hi, > > > Can you provide the output of > > ldapsearch -D "cn=directory manager" -W -b > > cn=certificates,cn=ipa,cn=etc,<your suffix> > > The attributes ipaKeyExtUsage and ipaKeyTrust should reflect the trust > > flags. > > flo > > Certainly, thanks for assisting! (I've shortened the key and crt strings > for ease of reading). > > # ldapsearch -D "cn=directory manager" -W -b > cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com> with scope > subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # certificates, ipa, etc, vss.vzbi.com > dn: cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com > cn: certificates > objectClass: nsContainer > objectClass: top > > # VSS.VZBI.COM IPA CA, certificates, ipa, etc, vss.vzbi.com > dn: cn=VSS.VZBI.COM IPA > CA,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com > ipaCertIssuerSerial: CN=Certificate Authority,O=VSS.VZBI.COM;1 > cn: VSS.VZBI.COM IPA CA > ipaConfigString: ipaCa > ipaConfigString: compatCA > cACertificate;binary:: MIIEjjCCA...lMlosLouG65 > objectClass: ipaCertificate > objectClass: pkiCA > objectClass: ipaKeyPolicy > objectClass: top > ipaPublicKey:: MIIBojANB...UPAgMBAAE= > ipaKeyTrust: trusted > ipaCertSubject: CN=Certificate Authority,O=VSS.VZBI.COM > ipaKeyExtUsage: 1.3.6.1.5.5.7.3.4 > ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 > ipaKeyExtUsage: 1.3.6.1.5.5.7.3.3 > ipaKeyExtUsage: 1.3.6.1.5.5.7.3.2 > This one is IPA CA certificate (self-signed), with CT,C,C flags. > # CyberTrustRoot, certificates, ipa, etc, vss.vzbi.com > dn: cn=CyberTrustRoot,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com > ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 > ipaKeyTrust: trusted > cACertificate;binary:: MIIDdzCCAl+g...V/OeBHRnDJELqYzmp > ipaPublicKey:: MIIBIjANB...aOQIDAQAB > ipaCertIssuerSerial: CN=Baltimore CyberTrust > Root,OU=CyberTrust,O=Baltimore,C= > IE;33554617 > ipaCertSubject: CN=Baltimore CyberTrust > Root,OU=CyberTrust,O=Baltimore,C=IE > cn: CyberTrustRoot > objectClass: ipaCertificate > objectClass: pkiCA > objectClass: ipaKeyPolicy > objectClass: top > This one corresponds to your CyberTrustRoot, self-signed, with C,, flags. > # DigiCertCA, certificates, ipa, etc, vss.vzbi.com > dn: cn=DigiCertCA,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com > ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 > ipaKeyTrust: trusted > cACertificate;binary:: MIIE4DCCA8i...yLVj6fexOFpmA== > ipaPublicKey:: MIIBIjANB...nPQIDAQAB > ipaCertIssuerSerial: CN=Baltimore CyberTrust > Root,OU=CyberTrust,O=Baltimore,C= > IE;13967229389238126287638511701440740160 > ipaCertSubject: CN=DigiCert Baltimore TLS RSA SHA256 2020 CA1,O=DigiCert > Inc,C > =US > cn: DigiCertCA > objectClass: ipaCertificate > objectClass: pkiCA > objectClass: ipaKeyPolicy > objectClass: top > This one is your DigiCertCA, with C,, issued by CyberTrustRoot > > # DigiCert Global G2 TLS RSA SHA256 2020 CA1 - DigiCert Inc, certificates, > ipa, > etc, vss.vzbi.com > dn: cn=DigiCert Global G2 TLS RSA SHA256 2020 CA1 - DigiCert > Inc,cn=certificat > es,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com > objectClass: ipaCertificate > objectClass: pkiCA > objectClass: ipaKeyPolicy > objectClass: top > cn: DigiCert Global G2 TLS RSA SHA256 2020 CA1 - DigiCert Inc > ipaCertSubject: CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert > Inc,C > =US > ipaCertIssuerSerial: CN=DigiCert Global Root G2,OU=www.digicert.com > ,O=DigiCert > Inc,C=US;17226682543955925492517929723242541158 > ipaPublicKey:: MIIBIjANBgk...QIDAQAB > cACertificate;binary:: MIIEyDCC...51b2EQJ8HmA== > ipaKeyExtUsage: 1.3.6.1.4.1.3319.6.10.16 > This one is DigiCert Global G2 TLS RSA SHA256 2020 CA1 - DigiCert Inc installed with ,, and issued by DigiCert Global Root G2 > # DigiCert Global Root G2 - DigiCert Inc, certificates, ipa, etc, > vss.vzbi.com > dn: cn=DigiCert Global Root G2 - DigiCert > Inc,cn=certificates,cn=ipa,cn=etc,dc > =vss,dc=vzbi,dc=com > ipaKeyTrust: trusted > ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 > ipaKeyExtUsage: 1.3.6.1.5.5.7.3.3 > ipaKeyExtUsage: 1.3.6.1.5.5.7.3.4 > ipaKeyExtUsage: 1.3.6.1.5.5.7.3.2 > objectClass: ipaCertificate > objectClass: pkiCA > objectClass: ipaKeyPolicy > objectClass: top > cn: DigiCert Global Root G2 - DigiCert Inc > ipaCertSubject: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert > Inc, > C=US > ipaCertIssuerSerial: CN=DigiCert Global Root G2,OU=www.digicert.com > ,O=DigiCert > Inc,C=US;4293743540046975378534879503202253541 > ipaPublicKey:: MIIBIjANB...4MphQIDAQAB > cACertificate;binary:: MIIDjjCC...zNTflMrY= > This one is a self-signed CA, DigiCert Global Root G2 - DigiCert Inc with CT,C,C > > # CN\3DBaltimore CyberTrust > Root\2COU\3DCyberTrust\2CO\3DBaltimore\2CC\3DIE, ce > rtificates, ipa, etc, vss.vzbi.com > dn: cn=CN\3DBaltimore CyberTrust > Root\2COU\3DCyberTrust\2CO\3DBaltimore\2CC\3D > IE,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com > objectClass: ipaCertificate > objectClass: pkiCA > objectClass: ipaKeyPolicy > objectClass: top > cn: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE > ipaCertSubject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE > ipaCertIssuerSerial: CN=Baltimore CyberTrust > Root,OU=CyberTrust,O=Baltimore,C= > IE;33554617 > ipaPublicKey:: MIIBIjANB...QIDAQAB > cACertificate;binary:: MIIDdzCCAl...jzV/OeBHRnDJELqYzmp > ipaKeyTrust: trusted > ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 > This one has C,, and seems also to correspond to your CyberTrustRoot but with a name encoded a bit differently. > # CN\3DDigiCert Baltimore TLS RSA SHA256 2020 CA1\2CO\3DDigiCert > Inc\2CC\3DUS, > certificates, ipa, etc, vss.vzbi.com > dn: cn=CN\3DDigiCert Baltimore TLS RSA SHA256 2020 CA1\2CO\3DDigiCert > Inc\2CC\ > 3DUS,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com > objectClass: ipaCertificate > objectClass: pkiCA > objectClass: ipaKeyPolicy > objectClass: top > cn: CN=DigiCert Baltimore TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US > ipaCertSubject: CN=DigiCert Baltimore TLS RSA SHA256 2020 CA1,O=DigiCert > Inc,C > =US > ipaCertIssuerSerial: CN=Baltimore CyberTrust > Root,OU=CyberTrust,O=Baltimore,C= > IE;13967229389238126287638511701440740160 > ipaPublicKey:: MIIBIjANB...nPQIDAQAB > cACertificate;binary:: MIIE4D...fexOFpmA== > ipaKeyTrust: trusted > ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 > This one is also DigiCert Baltimore TLS RSA SHA256 2020 CA1, with C,, and issued by CyberTrustRoot > > # CN\3DDigiCert Global G2 TLS RSA SHA256 2020 CA1\2CO\3DDigiCert > Inc\2CC\3DUS, > certificates, ipa, etc, vss.vzbi.com > dn: cn=CN\3DDigiCert Global G2 TLS RSA SHA256 2020 CA1\2CO\3DDigiCert > Inc\2CC\ > 3DUS,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com > objectClass: ipaCertificate > objectClass: pkiCA > objectClass: ipaKeyPolicy > objectClass: top > cn: CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US > ipaCertSubject: CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert > Inc,C > =US > ipaCertIssuerSerial: CN=DigiCert Global Root G2,OU=www.digicert.com > ,O=DigiCert > Inc,C=US;17226682543955925492517929723242541158 > ipaPublicKey:: MIIBIjA...poQIDAQAB > cACertificate;binary:: MIIEyDCCA7...1b2EQJ8HmA== > ipaKeyExtUsage: 1.3.6.1.4.1.3319.6.10.16 > This one is DigiCert Global G2 TLS RSA SHA256 2020 CA, installed with ,, and issued by DigiCert Global Root G2 > > # CN\3DDigiCert Global Root G2\2COU\3Dwww.digicert.com\2CO\3DDigiCert > Inc\2CC\3 > DUS, certificates, ipa, etc, vss.vzbi.com > dn: cn=CN\3DDigiCert Global Root G2\2COU\3Dwww.digicert.com\2CO\3DDigiCert > Inc > \2CC\3DUS,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com > objectClass: ipaCertificate > objectClass: pkiCA > objectClass: ipaKeyPolicy > objectClass: top > cn: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US > ipaCertSubject: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert > Inc, > C=US > ipaCertIssuerSerial: CN=DigiCert Global Root G2,OU=www.digicert.com > ,O=DigiCert > Inc,C=US;4293743540046975378534879503202253541 > ipaPublicKey:: MIIBIjAN...QIDAQAB > cACertificate;binary:: MIIDjjCC...NTflMrY= > ipaKeyExtUsage: 1.3.6.1.4.1.3319.6.10.16 > This one is a self-signed CA, DigiCert Global Root G2 installed with ,, As a summary we have: - IPA CA (*cn=VSS.VZBI.COM <http://VSS.VZBI.COM> IPA CA* with CT,C,C) - CyberTrustRoot (*cn=CyberTrustRoot* with C,, and *cn=CN\3DBaltimore CyberTrust Root\2COU\3DCyberTrust\2CO\3DBaltimore\2CC\3DIE* with C,,) - DigiCertCA (*cn=DigiCertCA* with C,, and *cn=CN\3DDigiCert Baltimore TLS RSA SHA256 2020 CA1\2CO\3DDigiCert Inc\2CC\3DUS* with C,,) - DigiCert Global Root G2 - DigiCert Inc (*cn=DigiCert Global Root G2 - DigiCert Inc* *with CT,C,C* and *cn=CN\3DDigiCert Global Root G2\2COU\3Dwww.digicert.com <http://3Dwww.digicert.com>\2CO\3DDigiCert Inc\2CC\3DUS* *with ,,*) - DigiCert Global G2 TLS RSA SHA256 2020 CA1 - DigiCert Inc (*cn=DigiCert Global G2 TLS RSA SHA256 2020 CA1 - DigiCert Inc* *with ,,* and *cn=CN\3DDigiCert Global G2 TLS RSA SHA256 2020 CA1\2CO\3DDigiCert Inc\2CC\3DUS* *with ,,*) Some certs are duplicated, some certs have invalid flags. You can remove one of the duplicates: ldapdelete -D "cn=directory manager" -W "cn=CN\3DBaltimore CyberTrust Root\2COU\3DCyberTrust\2CO\3DBaltimore\2CC\3DIE,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com" ldapdelete -D "cn=directory manager -W "cn=CN\3DDigiCert Baltimore TLS RSA SHA256 2020 CA1\2CO\3DDigiCert Inc\2CC\3DUS,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com" ldapdelete -D "cn=directory manager" -W "cn=CN\3DDigiCert Global Root G2\2COU\3Dwww.digicert.com\2CO\3DDigiCert Inc\2CC\3DUS,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com" ldapdelete -D "cn=directory manager" -W "cn=CN\3DDigiCert Global G2 TLS RSA SHA256 2020 CA1\2CO\3DDigiCert Inc\2CC\3DUS,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com" Then fix the trust flags for DigiCert Global G2 TLS RSA SHA256 2020 CA1: create a file mod.ldif with the following content: dn: cn=DigiCert Global G2 TLS RSA SHA256 2020 CA1 - DigiCert Inc,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com changetype: modify add: ipaKeyExtUsage ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 - add: ipaKeyTrust ipaKeyTrust: trusted Then call ldapmodify -D "cn=directory manager" -W mod.ldif After that you will need to run ipa-certupdate on all your IPA machines. flo > # search result > search: 2 > result: 0 Success > > # numResponses: 11 > # numEntries: 10 > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
