[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-16 Thread Fraser Tweedale via FreeIPA-users
On Tue, Feb 16, 2021 at 09:52:27AM -0500, Bret Wortman wrote:
> I found my error and got past this and completed the rest of the
> steps up to setting up the new server. Is there an easy way to
> test a certificate granted by their CA to see if it's now going to
> be accepted on a system where IPA's root CA certificate is present
> but their Root CA is not? I'd like to verify this before
> installing the new IPA CA for them.
> 

Huh, it all worked?  I'm surprised it accepted the CN.

Well, you can verify the certificate chain with OpenSSL.  And when
you configure the server software, be sure to include the Web Team
CA in the chain, otherwise there will be a missing link for clients
that only have the IPA CA in their trust store.

Thanks,
Fraser

> 
> -- 
>   Bret Wortman
>   bret.wort...@damascusgrp.com
> 
> On Tue, Feb 16, 2021, at 9:23 AM, Bret Wortman wrote:
> > Because the full CN is actually "damascusgrp.com DG Web Team Root CA", 
> > does that complicate this or do I just need to find a way to add all 
> > that as a host?
> > 
> > 
> > -- 
> >   Bret Wortman
> >   bret.wort...@damascusgrp.com
> > 
> > On Tue, Feb 16, 2021, at 8:06 AM, Bret Wortman wrote:
> > > I may well have messed this up, but here's what I've done:
> > > 
> > > # ipa host-add --force damascusgrp.com
> > > 
> > > Added host "damascusgrp.com"
> > > 
> > >   Host name: damascusgrp.com
> > >   Principal name: host/damascusgrp@damascusgrp.com
> > >   Principal alias: host/damascusgrp@damascusgrp.com
> > >   Password: False
> > >   Member of host-groups: allow_all_hosts
> > >   Indirect Member of netgroup: allow_all_hosts
> > >   Keytab: False
> > >   Managed by: damascusgrp.com
> > > # ipa certprofile-show caIPAserviceCert --out SubCA.cfg
> > > 
> > > Profile configuration stored in file "SubCA.cfg"
> > > 
> > >   Profile ID: caIPAserviceCert
> > >   Profile description: Standard profile for network services
> > >   Store issued certificates: TRUE
> > > # vim SubCA.cfg
> > > :
> > > profileId=damascusgrp.com
> > > :
> > > # ipa certprofile-import 'damascusgrp.com' --desc "Web Team CA" --file 
> > > SubCA.cfg --store=1
> > > ipa: ERROR: invalid 'id': invalid Profile ID
> > > 
> > > 
> > > -- 
> > >   Bret Wortman
> > >   bret.wort...@damascusgrp.com
> > > 
> > > On Tue, Feb 16, 2021, at 7:40 AM, Bret Wortman wrote:
> > > > Just to be clear, I'm going to follow the steps, but instead of setting 
> > > > up sub.ipa.local, I'm going to instead use simply "damascusgrp.com", 
> > > > yielding a principal named host/damascusgrp@damascusgrp.com, right? 
> > > > And then proceed through the rest of the steps.
> > > > 
> > > > 
> > > > -- 
> > > >   Bret Wortman
> > > >   bret.wort...@damascusgrp.com
> > > > 
> > > > On Tue, Feb 16, 2021, at 7:05 AM, Bret Wortman wrote:
> > > > > Okay, I'll give it a try. Thanks!
> > > > > 
> > > > > 
> > > > > -- 
> > > > >   Bret Wortman
> > > > >   bret.wort...@damascusgrp.com
> > > > > 
> > > > > On Tue, Feb 16, 2021, at 6:59 AM, Fraser Tweedale wrote:
> > > > > > On Tue, Feb 16, 2021 at 05:53:31AM -0500, Bret Wortman wrote:
> > > > > > > Fraser,
> > > > > > > 
> > > > > > > It doesn't look like we fit the model. Our IPA CA's cert is as
> > > > > > > expected, but the other one is:
> > > > > > > 
> > > > > > > $ openssl x509 -noout -in web-ca.crt -issuer issuer=
> > > > > > > /C=US/ST=VA/L=Fairfax/O=DG Web Team/OU=DG/CN=damascusgrp.com DG
> > > > > > > Web Team Root CA
> > > > > > > 
> > > > > > > Since I don't see a hostname in there anywhere (and in fact,
> > > > > > > further conversations with this team turned up the fact that
> > > > > > > they're just creating these by hand using openssl commands rather
> > > > > > > than running any sort of service at all), I'm hesitant to just
> > > > > > > barge ahead and try to make it work on my own...
> > > > > >  
> > > > > > The CN (damascusgrp.com) is a domain name.  You can add a host
> > > > > > object with that name to FreeIPA.  I think the procedure outlined in
> > > > > > the blog post should work for you.
> > > > > > 
> > > > > > Cheers,
> > > > > > Fraser
> > > > > > 
> > > > > > > 
> > > > > > > -- 
> > > > > > >   Bret Wortman
> > > > > > >   bret.wort...@damascusgrp.com
> > > > > > > 
> > > > > > > On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote:
> > > > > > > > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via 
> > > > > > > > FreeIPA-users wrote:
> > > > > > > > > We had a developer team deploy their own CA and then issue a 
> > > > > > > > > slew
> > > > > > > > > of certificates for users' workstations and other servers, 
> > > > > > > > > and now
> > > > > > > > > they want us to deploy those certificates more widely. I'd 
> > > > > > > > > rather
> > > > > > > > > find a way to bring their CA under ours so that the root CA
> > > > > > > > > certificate we already 

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-16 Thread Fraser Tweedale via FreeIPA-users
On Tue, Feb 16, 2021 at 09:23:23AM -0500, Bret Wortman wrote:

> Because the full CN is actually "damascusgrp.com DG Web Team Root
> CA", does that complicate this or do I just need to find a way to
> add all that as a host?

I'm sorry.  Yes it does.  I misread the DN!  My apologies.

I will think about what workaround may be possible for you.

One that immediately comes to mind is make an intermediate CA with
OpenSSL, that has a domain name as CN.  Sign the Web Team CA with
the intermediate, then sign the intermediate with FreeIPA.

But I'll see if I can think of any other approach.

As for the "Invalid profile ID" error, it is due to the "."
character in "damascusgrp.com".  Just replace it with an underscore
in the profileID.

Thanks,
Fraser


> 
> -- 
>   Bret Wortman
>   bret.wort...@damascusgrp.com
> 
> On Tue, Feb 16, 2021, at 8:06 AM, Bret Wortman wrote:
> > I may well have messed this up, but here's what I've done:
> > 
> > # ipa host-add --force damascusgrp.com
> > 
> > Added host "damascusgrp.com"
> > 
> >   Host name: damascusgrp.com
> >   Principal name: host/damascusgrp@damascusgrp.com
> >   Principal alias: host/damascusgrp@damascusgrp.com
> >   Password: False
> >   Member of host-groups: allow_all_hosts
> >   Indirect Member of netgroup: allow_all_hosts
> >   Keytab: False
> >   Managed by: damascusgrp.com
> > # ipa certprofile-show caIPAserviceCert --out SubCA.cfg
> > 
> > Profile configuration stored in file "SubCA.cfg"
> > 
> >   Profile ID: caIPAserviceCert
> >   Profile description: Standard profile for network services
> >   Store issued certificates: TRUE
> > # vim SubCA.cfg
> > :
> > profileId=damascusgrp.com
> > :
> > # ipa certprofile-import 'damascusgrp.com' --desc "Web Team CA" --file 
> > SubCA.cfg --store=1
> > ipa: ERROR: invalid 'id': invalid Profile ID
> > 
> > 
> > -- 
> >   Bret Wortman
> >   bret.wort...@damascusgrp.com
> > 
> > On Tue, Feb 16, 2021, at 7:40 AM, Bret Wortman wrote:
> > > Just to be clear, I'm going to follow the steps, but instead of setting 
> > > up sub.ipa.local, I'm going to instead use simply "damascusgrp.com", 
> > > yielding a principal named host/damascusgrp@damascusgrp.com, right? 
> > > And then proceed through the rest of the steps.
> > > 
> > > 
> > > -- 
> > >   Bret Wortman
> > >   bret.wort...@damascusgrp.com
> > > 
> > > On Tue, Feb 16, 2021, at 7:05 AM, Bret Wortman wrote:
> > > > Okay, I'll give it a try. Thanks!
> > > > 
> > > > 
> > > > -- 
> > > >   Bret Wortman
> > > >   bret.wort...@damascusgrp.com
> > > > 
> > > > On Tue, Feb 16, 2021, at 6:59 AM, Fraser Tweedale wrote:
> > > > > On Tue, Feb 16, 2021 at 05:53:31AM -0500, Bret Wortman wrote:
> > > > > > Fraser,
> > > > > > 
> > > > > > It doesn't look like we fit the model. Our IPA CA's cert is as
> > > > > > expected, but the other one is:
> > > > > > 
> > > > > > $ openssl x509 -noout -in web-ca.crt -issuer issuer=
> > > > > > /C=US/ST=VA/L=Fairfax/O=DG Web Team/OU=DG/CN=damascusgrp.com DG
> > > > > > Web Team Root CA
> > > > > > 
> > > > > > Since I don't see a hostname in there anywhere (and in fact,
> > > > > > further conversations with this team turned up the fact that
> > > > > > they're just creating these by hand using openssl commands rather
> > > > > > than running any sort of service at all), I'm hesitant to just
> > > > > > barge ahead and try to make it work on my own...
> > > > >  
> > > > > The CN (damascusgrp.com) is a domain name.  You can add a host
> > > > > object with that name to FreeIPA.  I think the procedure outlined in
> > > > > the blog post should work for you.
> > > > > 
> > > > > Cheers,
> > > > > Fraser
> > > > > 
> > > > > > 
> > > > > > -- 
> > > > > >   Bret Wortman
> > > > > >   bret.wort...@damascusgrp.com
> > > > > > 
> > > > > > On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote:
> > > > > > > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via 
> > > > > > > FreeIPA-users wrote:
> > > > > > > > We had a developer team deploy their own CA and then issue a 
> > > > > > > > slew
> > > > > > > > of certificates for users' workstations and other servers, and 
> > > > > > > > now
> > > > > > > > they want us to deploy those certificates more widely. I'd 
> > > > > > > > rather
> > > > > > > > find a way to bring their CA under ours so that the root CA
> > > > > > > > certificate we already distribute will make theirs "just work"
> > > > > > > > rather than having to distribute another set of root CA
> > > > > > > > certificates.
> > > > > > > > 
> > > > > > > > Is this possible, or would they have to start over and build a
> > > > > > > > subordinate CA from the ground up to make it work? If it's 
> > > > > > > > perhaps
> > > > > > > > possible, under what circumstances?
> > > > > > > > 
> > > > > > > Hi Bret,
> > > > > > > 
> > > > > > > It is possible, but there are 

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-16 Thread Bret Wortman via FreeIPA-users
Because the full CN is actually "damascusgrp.com DG Web Team Root CA", does 
that complicate this or do I just need to find a way to add all that as a host?


-- 
  Bret Wortman
  bret.wort...@damascusgrp.com

On Tue, Feb 16, 2021, at 8:06 AM, Bret Wortman wrote:
> I may well have messed this up, but here's what I've done:
> 
> # ipa host-add --force damascusgrp.com
> 
> Added host "damascusgrp.com"
> 
>   Host name: damascusgrp.com
>   Principal name: host/damascusgrp@damascusgrp.com
>   Principal alias: host/damascusgrp@damascusgrp.com
>   Password: False
>   Member of host-groups: allow_all_hosts
>   Indirect Member of netgroup: allow_all_hosts
>   Keytab: False
>   Managed by: damascusgrp.com
> # ipa certprofile-show caIPAserviceCert --out SubCA.cfg
> 
> Profile configuration stored in file "SubCA.cfg"
> 
>   Profile ID: caIPAserviceCert
>   Profile description: Standard profile for network services
>   Store issued certificates: TRUE
> # vim SubCA.cfg
> :
> profileId=damascusgrp.com
> :
> # ipa certprofile-import 'damascusgrp.com' --desc "Web Team CA" --file 
> SubCA.cfg --store=1
> ipa: ERROR: invalid 'id': invalid Profile ID
> 
> 
> -- 
>   Bret Wortman
>   bret.wort...@damascusgrp.com
> 
> On Tue, Feb 16, 2021, at 7:40 AM, Bret Wortman wrote:
> > Just to be clear, I'm going to follow the steps, but instead of setting 
> > up sub.ipa.local, I'm going to instead use simply "damascusgrp.com", 
> > yielding a principal named host/damascusgrp@damascusgrp.com, right? 
> > And then proceed through the rest of the steps.
> > 
> > 
> > -- 
> >   Bret Wortman
> >   bret.wort...@damascusgrp.com
> > 
> > On Tue, Feb 16, 2021, at 7:05 AM, Bret Wortman wrote:
> > > Okay, I'll give it a try. Thanks!
> > > 
> > > 
> > > -- 
> > >   Bret Wortman
> > >   bret.wort...@damascusgrp.com
> > > 
> > > On Tue, Feb 16, 2021, at 6:59 AM, Fraser Tweedale wrote:
> > > > On Tue, Feb 16, 2021 at 05:53:31AM -0500, Bret Wortman wrote:
> > > > > Fraser,
> > > > > 
> > > > > It doesn't look like we fit the model. Our IPA CA's cert is as
> > > > > expected, but the other one is:
> > > > > 
> > > > > $ openssl x509 -noout -in web-ca.crt -issuer issuer=
> > > > > /C=US/ST=VA/L=Fairfax/O=DG Web Team/OU=DG/CN=damascusgrp.com DG
> > > > > Web Team Root CA
> > > > > 
> > > > > Since I don't see a hostname in there anywhere (and in fact,
> > > > > further conversations with this team turned up the fact that
> > > > > they're just creating these by hand using openssl commands rather
> > > > > than running any sort of service at all), I'm hesitant to just
> > > > > barge ahead and try to make it work on my own...
> > > >  
> > > > The CN (damascusgrp.com) is a domain name.  You can add a host
> > > > object with that name to FreeIPA.  I think the procedure outlined in
> > > > the blog post should work for you.
> > > > 
> > > > Cheers,
> > > > Fraser
> > > > 
> > > > > 
> > > > > -- 
> > > > >   Bret Wortman
> > > > >   bret.wort...@damascusgrp.com
> > > > > 
> > > > > On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote:
> > > > > > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via 
> > > > > > FreeIPA-users wrote:
> > > > > > > We had a developer team deploy their own CA and then issue a slew
> > > > > > > of certificates for users' workstations and other servers, and now
> > > > > > > they want us to deploy those certificates more widely. I'd rather
> > > > > > > find a way to bring their CA under ours so that the root CA
> > > > > > > certificate we already distribute will make theirs "just work"
> > > > > > > rather than having to distribute another set of root CA
> > > > > > > certificates.
> > > > > > > 
> > > > > > > Is this possible, or would they have to start over and build a
> > > > > > > subordinate CA from the ground up to make it work? If it's perhaps
> > > > > > > possible, under what circumstances?
> > > > > > > 
> > > > > > Hi Bret,
> > > > > > 
> > > > > > It is possible, but there are restrictions about what the sub-CAs
> > > > > > subject DN can be.  Have a read of this blog post:
> > > > > > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html
> > > > > > 
> > > > > > If your developer team's CA certificate does not fit those
> > > > > > requirements, please share the details of the certificate
> > > > > > (especially Subject DN) and I'll see if I can find a workaround.
> > > > > > 
> > > > > > Cheers,
> > > > > > Fraser
> > > > > > 
> > > > > > >
> > > > > > > Thanks!
> > > > > > > 
> > > > > > > Bret
> > > > > > > ___
> > > > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > > > > > To unsubscribe send an email to 
> > > > > > > freeipa-users-le...@lists.fedorahosted.org
> > > > > > > Fedora Code of Conduct: 
> > > > > > > 

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-16 Thread Bret Wortman via FreeIPA-users
I found my error and got past this and completed the rest of the steps up to 
setting up the new server. Is there an easy way to test a certificate granted 
by their CA to see if it's now going to be accepted on a system where IPA's 
root CA certificate is present but their Root CA is not? I'd like to verify 
this before installing the new IPA CA for them.


-- 
  Bret Wortman
  bret.wort...@damascusgrp.com

On Tue, Feb 16, 2021, at 9:23 AM, Bret Wortman wrote:
> Because the full CN is actually "damascusgrp.com DG Web Team Root CA", 
> does that complicate this or do I just need to find a way to add all 
> that as a host?
> 
> 
> -- 
>   Bret Wortman
>   bret.wort...@damascusgrp.com
> 
> On Tue, Feb 16, 2021, at 8:06 AM, Bret Wortman wrote:
> > I may well have messed this up, but here's what I've done:
> > 
> > # ipa host-add --force damascusgrp.com
> > 
> > Added host "damascusgrp.com"
> > 
> >   Host name: damascusgrp.com
> >   Principal name: host/damascusgrp@damascusgrp.com
> >   Principal alias: host/damascusgrp@damascusgrp.com
> >   Password: False
> >   Member of host-groups: allow_all_hosts
> >   Indirect Member of netgroup: allow_all_hosts
> >   Keytab: False
> >   Managed by: damascusgrp.com
> > # ipa certprofile-show caIPAserviceCert --out SubCA.cfg
> > 
> > Profile configuration stored in file "SubCA.cfg"
> > 
> >   Profile ID: caIPAserviceCert
> >   Profile description: Standard profile for network services
> >   Store issued certificates: TRUE
> > # vim SubCA.cfg
> > :
> > profileId=damascusgrp.com
> > :
> > # ipa certprofile-import 'damascusgrp.com' --desc "Web Team CA" --file 
> > SubCA.cfg --store=1
> > ipa: ERROR: invalid 'id': invalid Profile ID
> > 
> > 
> > -- 
> >   Bret Wortman
> >   bret.wort...@damascusgrp.com
> > 
> > On Tue, Feb 16, 2021, at 7:40 AM, Bret Wortman wrote:
> > > Just to be clear, I'm going to follow the steps, but instead of setting 
> > > up sub.ipa.local, I'm going to instead use simply "damascusgrp.com", 
> > > yielding a principal named host/damascusgrp@damascusgrp.com, right? 
> > > And then proceed through the rest of the steps.
> > > 
> > > 
> > > -- 
> > >   Bret Wortman
> > >   bret.wort...@damascusgrp.com
> > > 
> > > On Tue, Feb 16, 2021, at 7:05 AM, Bret Wortman wrote:
> > > > Okay, I'll give it a try. Thanks!
> > > > 
> > > > 
> > > > -- 
> > > >   Bret Wortman
> > > >   bret.wort...@damascusgrp.com
> > > > 
> > > > On Tue, Feb 16, 2021, at 6:59 AM, Fraser Tweedale wrote:
> > > > > On Tue, Feb 16, 2021 at 05:53:31AM -0500, Bret Wortman wrote:
> > > > > > Fraser,
> > > > > > 
> > > > > > It doesn't look like we fit the model. Our IPA CA's cert is as
> > > > > > expected, but the other one is:
> > > > > > 
> > > > > > $ openssl x509 -noout -in web-ca.crt -issuer issuer=
> > > > > > /C=US/ST=VA/L=Fairfax/O=DG Web Team/OU=DG/CN=damascusgrp.com DG
> > > > > > Web Team Root CA
> > > > > > 
> > > > > > Since I don't see a hostname in there anywhere (and in fact,
> > > > > > further conversations with this team turned up the fact that
> > > > > > they're just creating these by hand using openssl commands rather
> > > > > > than running any sort of service at all), I'm hesitant to just
> > > > > > barge ahead and try to make it work on my own...
> > > > >  
> > > > > The CN (damascusgrp.com) is a domain name.  You can add a host
> > > > > object with that name to FreeIPA.  I think the procedure outlined in
> > > > > the blog post should work for you.
> > > > > 
> > > > > Cheers,
> > > > > Fraser
> > > > > 
> > > > > > 
> > > > > > -- 
> > > > > >   Bret Wortman
> > > > > >   bret.wort...@damascusgrp.com
> > > > > > 
> > > > > > On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote:
> > > > > > > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via 
> > > > > > > FreeIPA-users wrote:
> > > > > > > > We had a developer team deploy their own CA and then issue a 
> > > > > > > > slew
> > > > > > > > of certificates for users' workstations and other servers, and 
> > > > > > > > now
> > > > > > > > they want us to deploy those certificates more widely. I'd 
> > > > > > > > rather
> > > > > > > > find a way to bring their CA under ours so that the root CA
> > > > > > > > certificate we already distribute will make theirs "just work"
> > > > > > > > rather than having to distribute another set of root CA
> > > > > > > > certificates.
> > > > > > > > 
> > > > > > > > Is this possible, or would they have to start over and build a
> > > > > > > > subordinate CA from the ground up to make it work? If it's 
> > > > > > > > perhaps
> > > > > > > > possible, under what circumstances?
> > > > > > > > 
> > > > > > > Hi Bret,
> > > > > > > 
> > > > > > > It is possible, but there are restrictions about what the sub-CAs
> > > > > > > subject DN can be.  Have a read of this blog post:
> > > > > > > 

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-16 Thread Bret Wortman via FreeIPA-users
I may well have messed this up, but here's what I've done:

# ipa host-add --force damascusgrp.com

Added host "damascusgrp.com"

  Host name: damascusgrp.com
  Principal name: host/damascusgrp@damascusgrp.com
  Principal alias: host/damascusgrp@damascusgrp.com
  Password: False
  Member of host-groups: allow_all_hosts
  Indirect Member of netgroup: allow_all_hosts
  Keytab: False
  Managed by: damascusgrp.com
# ipa certprofile-show caIPAserviceCert --out SubCA.cfg

Profile configuration stored in file "SubCA.cfg"

  Profile ID: caIPAserviceCert
  Profile description: Standard profile for network services
  Store issued certificates: TRUE
# vim SubCA.cfg
:
profileId=damascusgrp.com
:
# ipa certprofile-import 'damascusgrp.com' --desc "Web Team CA" --file 
SubCA.cfg --store=1
ipa: ERROR: invalid 'id': invalid Profile ID


-- 
  Bret Wortman
  bret.wort...@damascusgrp.com

On Tue, Feb 16, 2021, at 7:40 AM, Bret Wortman wrote:
> Just to be clear, I'm going to follow the steps, but instead of setting 
> up sub.ipa.local, I'm going to instead use simply "damascusgrp.com", 
> yielding a principal named host/damascusgrp@damascusgrp.com, right? 
> And then proceed through the rest of the steps.
> 
> 
> -- 
>   Bret Wortman
>   bret.wort...@damascusgrp.com
> 
> On Tue, Feb 16, 2021, at 7:05 AM, Bret Wortman wrote:
> > Okay, I'll give it a try. Thanks!
> > 
> > 
> > -- 
> >   Bret Wortman
> >   bret.wort...@damascusgrp.com
> > 
> > On Tue, Feb 16, 2021, at 6:59 AM, Fraser Tweedale wrote:
> > > On Tue, Feb 16, 2021 at 05:53:31AM -0500, Bret Wortman wrote:
> > > > Fraser,
> > > > 
> > > > It doesn't look like we fit the model. Our IPA CA's cert is as
> > > > expected, but the other one is:
> > > > 
> > > > $ openssl x509 -noout -in web-ca.crt -issuer issuer=
> > > > /C=US/ST=VA/L=Fairfax/O=DG Web Team/OU=DG/CN=damascusgrp.com DG
> > > > Web Team Root CA
> > > > 
> > > > Since I don't see a hostname in there anywhere (and in fact,
> > > > further conversations with this team turned up the fact that
> > > > they're just creating these by hand using openssl commands rather
> > > > than running any sort of service at all), I'm hesitant to just
> > > > barge ahead and try to make it work on my own...
> > >  
> > > The CN (damascusgrp.com) is a domain name.  You can add a host
> > > object with that name to FreeIPA.  I think the procedure outlined in
> > > the blog post should work for you.
> > > 
> > > Cheers,
> > > Fraser
> > > 
> > > > 
> > > > -- 
> > > >   Bret Wortman
> > > >   bret.wort...@damascusgrp.com
> > > > 
> > > > On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote:
> > > > > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via 
> > > > > FreeIPA-users wrote:
> > > > > > We had a developer team deploy their own CA and then issue a slew
> > > > > > of certificates for users' workstations and other servers, and now
> > > > > > they want us to deploy those certificates more widely. I'd rather
> > > > > > find a way to bring their CA under ours so that the root CA
> > > > > > certificate we already distribute will make theirs "just work"
> > > > > > rather than having to distribute another set of root CA
> > > > > > certificates.
> > > > > > 
> > > > > > Is this possible, or would they have to start over and build a
> > > > > > subordinate CA from the ground up to make it work? If it's perhaps
> > > > > > possible, under what circumstances?
> > > > > > 
> > > > > Hi Bret,
> > > > > 
> > > > > It is possible, but there are restrictions about what the sub-CAs
> > > > > subject DN can be.  Have a read of this blog post:
> > > > > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html
> > > > > 
> > > > > If your developer team's CA certificate does not fit those
> > > > > requirements, please share the details of the certificate
> > > > > (especially Subject DN) and I'll see if I can find a workaround.
> > > > > 
> > > > > Cheers,
> > > > > Fraser
> > > > > 
> > > > > >
> > > > > > Thanks!
> > > > > > 
> > > > > > Bret
> > > > > > ___
> > > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > > > > To unsubscribe send an email to 
> > > > > > freeipa-users-le...@lists.fedorahosted.org
> > > > > > Fedora Code of Conduct: 
> > > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > > List Guidelines: 
> > > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > > List Archives: 
> > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > > > > > Do not reply to spam on the list, report it: 
> > > > > > https://pagure.io/fedora-infrastructure
> > > > > 
> > > > >
> > > > 
> > > 
> > >
___
FreeIPA-users mailing list -- 

[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-16 Thread Bret Wortman via FreeIPA-users
Just to be clear, I'm going to follow the steps, but instead of setting up 
sub.ipa.local, I'm going to instead use simply "damascusgrp.com", yielding a 
principal named host/damascusgrp@damascusgrp.com, right? And then proceed 
through the rest of the steps.


-- 
  Bret Wortman
  bret.wort...@damascusgrp.com

On Tue, Feb 16, 2021, at 7:05 AM, Bret Wortman wrote:
> Okay, I'll give it a try. Thanks!
> 
> 
> -- 
>   Bret Wortman
>   bret.wort...@damascusgrp.com
> 
> On Tue, Feb 16, 2021, at 6:59 AM, Fraser Tweedale wrote:
> > On Tue, Feb 16, 2021 at 05:53:31AM -0500, Bret Wortman wrote:
> > > Fraser,
> > > 
> > > It doesn't look like we fit the model. Our IPA CA's cert is as
> > > expected, but the other one is:
> > > 
> > > $ openssl x509 -noout -in web-ca.crt -issuer issuer=
> > > /C=US/ST=VA/L=Fairfax/O=DG Web Team/OU=DG/CN=damascusgrp.com DG
> > > Web Team Root CA
> > > 
> > > Since I don't see a hostname in there anywhere (and in fact,
> > > further conversations with this team turned up the fact that
> > > they're just creating these by hand using openssl commands rather
> > > than running any sort of service at all), I'm hesitant to just
> > > barge ahead and try to make it work on my own...
> >  
> > The CN (damascusgrp.com) is a domain name.  You can add a host
> > object with that name to FreeIPA.  I think the procedure outlined in
> > the blog post should work for you.
> > 
> > Cheers,
> > Fraser
> > 
> > > 
> > > -- 
> > >   Bret Wortman
> > >   bret.wort...@damascusgrp.com
> > > 
> > > On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote:
> > > > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via 
> > > > FreeIPA-users wrote:
> > > > > We had a developer team deploy their own CA and then issue a slew
> > > > > of certificates for users' workstations and other servers, and now
> > > > > they want us to deploy those certificates more widely. I'd rather
> > > > > find a way to bring their CA under ours so that the root CA
> > > > > certificate we already distribute will make theirs "just work"
> > > > > rather than having to distribute another set of root CA
> > > > > certificates.
> > > > > 
> > > > > Is this possible, or would they have to start over and build a
> > > > > subordinate CA from the ground up to make it work? If it's perhaps
> > > > > possible, under what circumstances?
> > > > > 
> > > > Hi Bret,
> > > > 
> > > > It is possible, but there are restrictions about what the sub-CAs
> > > > subject DN can be.  Have a read of this blog post:
> > > > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html
> > > > 
> > > > If your developer team's CA certificate does not fit those
> > > > requirements, please share the details of the certificate
> > > > (especially Subject DN) and I'll see if I can find a workaround.
> > > > 
> > > > Cheers,
> > > > Fraser
> > > > 
> > > > >
> > > > > Thanks!
> > > > > 
> > > > > Bret
> > > > > ___
> > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > > > To unsubscribe send an email to 
> > > > > freeipa-users-le...@lists.fedorahosted.org
> > > > > Fedora Code of Conduct: 
> > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > List Guidelines: 
> > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives: 
> > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > > > > Do not reply to spam on the list, report it: 
> > > > > https://pagure.io/fedora-infrastructure
> > > > 
> > > >
> > > 
> > 
> >
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-16 Thread Bret Wortman via FreeIPA-users
Okay, I'll give it a try. Thanks!


-- 
  Bret Wortman
  bret.wort...@damascusgrp.com

On Tue, Feb 16, 2021, at 6:59 AM, Fraser Tweedale wrote:
> On Tue, Feb 16, 2021 at 05:53:31AM -0500, Bret Wortman wrote:
> > Fraser,
> > 
> > It doesn't look like we fit the model. Our IPA CA's cert is as
> > expected, but the other one is:
> > 
> > $ openssl x509 -noout -in web-ca.crt -issuer issuer=
> > /C=US/ST=VA/L=Fairfax/O=DG Web Team/OU=DG/CN=damascusgrp.com DG
> > Web Team Root CA
> > 
> > Since I don't see a hostname in there anywhere (and in fact,
> > further conversations with this team turned up the fact that
> > they're just creating these by hand using openssl commands rather
> > than running any sort of service at all), I'm hesitant to just
> > barge ahead and try to make it work on my own...
>  
> The CN (damascusgrp.com) is a domain name.  You can add a host
> object with that name to FreeIPA.  I think the procedure outlined in
> the blog post should work for you.
> 
> Cheers,
> Fraser
> 
> > 
> > -- 
> >   Bret Wortman
> >   bret.wort...@damascusgrp.com
> > 
> > On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote:
> > > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via FreeIPA-users 
> > > wrote:
> > > > We had a developer team deploy their own CA and then issue a slew
> > > > of certificates for users' workstations and other servers, and now
> > > > they want us to deploy those certificates more widely. I'd rather
> > > > find a way to bring their CA under ours so that the root CA
> > > > certificate we already distribute will make theirs "just work"
> > > > rather than having to distribute another set of root CA
> > > > certificates.
> > > > 
> > > > Is this possible, or would they have to start over and build a
> > > > subordinate CA from the ground up to make it work? If it's perhaps
> > > > possible, under what circumstances?
> > > > 
> > > Hi Bret,
> > > 
> > > It is possible, but there are restrictions about what the sub-CAs
> > > subject DN can be.  Have a read of this blog post:
> > > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html
> > > 
> > > If your developer team's CA certificate does not fit those
> > > requirements, please share the details of the certificate
> > > (especially Subject DN) and I'll see if I can find a workaround.
> > > 
> > > Cheers,
> > > Fraser
> > > 
> > > >
> > > > Thanks!
> > > > 
> > > > Bret
> > > > ___
> > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > > To unsubscribe send an email to 
> > > > freeipa-users-le...@lists.fedorahosted.org
> > > > Fedora Code of Conduct: 
> > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives: 
> > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > > > Do not reply to spam on the list, report it: 
> > > > https://pagure.io/fedora-infrastructure
> > > 
> > >
> > 
> 
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-16 Thread Bret Wortman via FreeIPA-users
Fraser,

It doesn't look like we fit the model. Our IPA CA's cert is as expected, but 
the other one is:

$ openssl x509 -noout -in web-ca.crt -issuer
issuer= /C=US/ST=VA/L=Fairfax/O=DG Web Team/OU=DG/CN=damascusgrp.com DG Web 
Team Root CA

Since I don't see a hostname in there anywhere (and in fact, further 
conversations with this team turned up the fact that they're just creating 
these by hand using openssl commands rather than running any sort of service at 
all), I'm hesitant to just barge ahead and try to make it work on my own...


-- 
  Bret Wortman
  bret.wort...@damascusgrp.com

On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote:
> On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via FreeIPA-users 
> wrote:
> > We had a developer team deploy their own CA and then issue a slew
> > of certificates for users' workstations and other servers, and now
> > they want us to deploy those certificates more widely. I'd rather
> > find a way to bring their CA under ours so that the root CA
> > certificate we already distribute will make theirs "just work"
> > rather than having to distribute another set of root CA
> > certificates.
> > 
> > Is this possible, or would they have to start over and build a
> > subordinate CA from the ground up to make it work? If it's perhaps
> > possible, under what circumstances?
> > 
> Hi Bret,
> 
> It is possible, but there are restrictions about what the sub-CAs
> subject DN can be.  Have a read of this blog post:
> https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html
> 
> If your developer team's CA certificate does not fit those
> requirements, please share the details of the certificate
> (especially Subject DN) and I'll see if I can find a workaround.
> 
> Cheers,
> Fraser
> 
> >
> > Thanks!
> > 
> > Bret
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: 
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: 
> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > Do not reply to spam on the list, report it: 
> > https://pagure.io/fedora-infrastructure
> 
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-16 Thread Fraser Tweedale via FreeIPA-users
On Tue, Feb 16, 2021 at 05:53:31AM -0500, Bret Wortman wrote:
> Fraser,
> 
> It doesn't look like we fit the model. Our IPA CA's cert is as
> expected, but the other one is:
> 
> $ openssl x509 -noout -in web-ca.crt -issuer issuer=
> /C=US/ST=VA/L=Fairfax/O=DG Web Team/OU=DG/CN=damascusgrp.com DG
> Web Team Root CA
> 
> Since I don't see a hostname in there anywhere (and in fact,
> further conversations with this team turned up the fact that
> they're just creating these by hand using openssl commands rather
> than running any sort of service at all), I'm hesitant to just
> barge ahead and try to make it work on my own...
 
The CN (damascusgrp.com) is a domain name.  You can add a host
object with that name to FreeIPA.  I think the procedure outlined in
the blog post should work for you.

Cheers,
Fraser

> 
> -- 
>   Bret Wortman
>   bret.wort...@damascusgrp.com
> 
> On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote:
> > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via FreeIPA-users 
> > wrote:
> > > We had a developer team deploy their own CA and then issue a slew
> > > of certificates for users' workstations and other servers, and now
> > > they want us to deploy those certificates more widely. I'd rather
> > > find a way to bring their CA under ours so that the root CA
> > > certificate we already distribute will make theirs "just work"
> > > rather than having to distribute another set of root CA
> > > certificates.
> > > 
> > > Is this possible, or would they have to start over and build a
> > > subordinate CA from the ground up to make it work? If it's perhaps
> > > possible, under what circumstances?
> > > 
> > Hi Bret,
> > 
> > It is possible, but there are restrictions about what the sub-CAs
> > subject DN can be.  Have a read of this blog post:
> > https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html
> > 
> > If your developer team's CA certificate does not fit those
> > requirements, please share the details of the certificate
> > (especially Subject DN) and I'll see if I can find a workaround.
> > 
> > Cheers,
> > Fraser
> > 
> > >
> > > Thanks!
> > > 
> > > Bret
> > > ___
> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> > > Fedora Code of Conduct: 
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives: 
> > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > > Do not reply to spam on the list, report it: 
> > > https://pagure.io/fedora-infrastructure
> > 
> >
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure


[Freeipa-users] Re: Converting an outside CA to a subordinate CA under IPA's Root CA

2021-02-15 Thread Fraser Tweedale via FreeIPA-users
On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman via FreeIPA-users wrote:
> We had a developer team deploy their own CA and then issue a slew
> of certificates for users' workstations and other servers, and now
> they want us to deploy those certificates more widely. I'd rather
> find a way to bring their CA under ours so that the root CA
> certificate we already distribute will make theirs "just work"
> rather than having to distribute another set of root CA
> certificates.
> 
> Is this possible, or would they have to start over and build a
> subordinate CA from the ground up to make it work? If it's perhaps
> possible, under what circumstances?
> 
Hi Bret,

It is possible, but there are restrictions about what the sub-CAs
subject DN can be.  Have a read of this blog post:
https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordinate-ca.html

If your developer team's CA certificate does not fit those
requirements, please share the details of the certificate
(especially Subject DN) and I'll see if I can find a workaround.

Cheers,
Fraser

>
> Thanks!
> 
> Bret
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure