#3303 ipa-server-install help and doc for external CA - PKCS #10 is not for certificate files
Closed: Fixed None Opened 6 years ago by dpal.

https://bugzilla.redhat.com/show_bug.cgi?id=886716 (Red Hat Enterprise Linux 6)

Description of problem:

It is not clear what certificate format is needed to use with the options
--external_cert_file and --external_ca_fil of the command ipa-server-install.

The inline help and doc are saying PKCS #10, but PKCS #10 is a format that
describes requests, not certificates.

And I suppose this is not PKCS #12 either since we only need to pass
certificates.

So I suppose base 64 of DER encoding is what may be used, the command below
seem to have worked fine:

ipa-server-install --external_cert_file=/root/ipa.crt
--external_ca_file=/root/ipa.external.ca.issuer.crt

where the 2 .crt files are base 64 of DER encoded certificates, for the IPA CA,
and the external issuer of IPA CA cert.

I seem to have a functional IPA server:
/etc/init.d/ipa status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING


and

ipa cert-show
Serial number: 1
  Certificate: MIIDcDCCAligAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwtFWEFN
UExFLkNPTTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMTIx
MjE2NDYxOVoXDTE0MTIwMjE2NDYxOVowLzEUMBIGA1UEChMLRVhBTVBMRS5DT00x
FzAVBgNVBAMTDk9DU1AgU3Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA2OCTnJHvGXAlYzmaExKMtPMTRSYQ9xVffV5cdzG67t18WY4m4lAv
54frOK+ckEEDc+5x8uyrDrO2Upp1KIaqBgb0MxJtMx6n9JJQS6UEcOY5YkPpD1tA
c/pkkEnTKgkwUTvsG+NbL1EIV4IDSWDNQosXYLWNHTDHc2XMTr98QAknTEl9DqPa
V7Q4fW3u6aYF7uQmqwdhGQGdbUTM8BYjLoqdFgpyAp00Ae7tZ+P6vN8n59iB812Y
O+va8hmg3Nzg5ENYXAFezb28N3q3SYPkOAydAshaFQBMJNsjLmwORLiIIiUbFEIg
fUT50Qn0pT3BU8/Wiq3IOiFo7/uRZ0rtYQIDAQABo4GPMIGMMB8GA1UdIwQYMBaA
FF1o2NacODcivU6KVWCzY0uD932IMA4GA1UdDwEB/wQEAwIBxjBEBggrBgEFBQcB
AQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9pcGFzZXJ2ZXIxLmV4YW1wbGUuY29t
OjgwL2NhL29jc3AwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQAD
ggEBADLT6JRthj2EC48zKoixOyklk0xRNWxIrGKO9JL4CqDiz9MGk2v4Xktdo7TN
G8/Nh0HQW3PSYSackUhRrRqaui1ON/usMU//6QMvK6n67z6OCAUgQ/MXnoDUKMKX
yR6qE4ca/fCqxSnw0ud7Na2SlajJHyd1bmhpyaePQ8/aCbmCgJz9FvVT+Yie36lm
526Zm4cBR7DY0ppRCh7Lxbl9AX6IIcq+ZOHN7pDcZHvrPvw1tCJfh696U+P5vy8b
flActKReFk6KJFmXoWXTCv1Hp2sixwL2On38GJhTXNgpN3aL2EPskEDcyhSjlqvT
JgmAFqv4QWRL+ikr/pZErZFMIjA=
  Subject: CN=OCSP Subsystem,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Wed Dec 12 16:46:19 2012 UTC
  Not After: Tue Dec 02 16:46:19 2014 UTC
  Fingerprint (MD5): b1:9f:1e:6b:3b:7e:31:11:9c:63:33:db:05:5c:2e:1c
  Fingerprint (SHA1):
a8:82:06:27:d5:be:58:1a:49:4f:61:38:68:da:8b:af:d6:53:99:d5
  Serial number (hex): 0x1
  Serial number: 1
[root@ipaserver1 ~]#



rpm -qf /usr/sbin/ipa-server-install
ipa-server-2.2.0-16.el6.x86_64

ipa-server-install -help
...
    --external_cert_file=EXTERNAL_CERT_FILE
                        File containing PKCS#10 certificate
    --external_ca_file=EXTERNAL_CA_FILE
                        File containing PKCS#10 of the external CA chain


and in the online RHEL IdM guide:

the following link is right now broken:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/
creating-server.html#install-ca-options

otherwise:

the options listed are incomplete in:

Chapter 2. Installing an IPA Server
2.4.1. About ipa-server-install
Table 2.2. ipa-server-install Options
page 16


but in page 396
Appendix C. IPA Tools Reference
C.5.4.2. Syntax
ipa-server-install ...
...
external_ca_file=CA_cert_chain_file Points to the PKCS#10
                                   file which contains the CA
                                  certificate chain of the external
                                 CA. This is required to validate
                                the certificate issued by the CA
                               for the IPA server. If an external
                              CA is used, this is required in
                             a second invocation of ipa-
                            server-install to complete
                           the setup process.
-- Points to the PKCS#10 file
external_cert_file=certificate_file which contains the certificate
                                   that was generated by an
                                  external CA. If an external CA
                                 is used, this is required in a
                                second invocation of ipa-
                               server-install to complete
                              the setup process.


PKCS #10 is a format that describes requests encoding, not certificates, more
exactly:
The public-key cryptography standard that governs certificate requests.

to me, certificates can either be encoded in binary DER format, or base 64
encoding of DER, or encapsulated in PKCS #7, or protected in a PKCS #12 file

which should be one of those depending on what the ipa-server-install options
external_ca_file and external_cert_file want.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

May be backport to earlier version.

Current (FreeIPA/IdM 4.1) ipa-server-install inline help and man pages no longer refer to PKCS#10:

# ipa-server-install --help
...
    --external-ca       Generate a CSR for the IPA CA certificate to be signed
                        by an external CA
    --external-ca-type=EXTERNAL_CA_TYPE
                        Type of the external CA
    --external-cert-file=FILE
                        File containing the IPA CA certificate and the
                        external CA certificate chain
    --no-pkinit         disables pkinit setup steps
    --dirsrv-cert-file=FILE
                        File containing the Directory Server SSL certificate
                        and private key
    --http-cert-file=FILE
                        File containing the Apache Server SSL certificate and
                        private key
    --pkinit-cert-file=FILE
                        File containing the Kerberos KDC SSL certificate and
                        private key

I am thus marking this bug as fixed. Please feel free to reopen it if you disagree.

Metadata Update from @dpal:
- Issue assigned to jdennis
- Issue set to the milestone: FreeIPA 4.1

2 years ago

Login to comment on this ticket.

Metadata