https://bugzilla.redhat.com/show_bug.cgi?id=886716 (Red Hat Enterprise Linux 6)
Description of problem: It is not clear what certificate format is needed to use with the options --external_cert_file and --external_ca_fil of the command ipa-server-install. The inline help and doc are saying PKCS #10, but PKCS #10 is a format that describes requests, not certificates. And I suppose this is not PKCS #12 either since we only need to pass certificates. So I suppose base 64 of DER encoding is what may be used, the command below seem to have worked fine: ipa-server-install --external_cert_file=/root/ipa.crt --external_ca_file=/root/ipa.external.ca.issuer.crt where the 2 .crt files are base 64 of DER encoded certificates, for the IPA CA, and the external issuer of IPA CA cert. I seem to have a functional IPA server: /etc/init.d/ipa status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING DNS Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING and ipa cert-show Serial number: 1 Certificate: MIIDcDCCAligAwIBAgIBATANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKEwtFWEFN UExFLkNPTTEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMTIx MjE2NDYxOVoXDTE0MTIwMjE2NDYxOVowLzEUMBIGA1UEChMLRVhBTVBMRS5DT00x FzAVBgNVBAMTDk9DU1AgU3Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA2OCTnJHvGXAlYzmaExKMtPMTRSYQ9xVffV5cdzG67t18WY4m4lAv 54frOK+ckEEDc+5x8uyrDrO2Upp1KIaqBgb0MxJtMx6n9JJQS6UEcOY5YkPpD1tA c/pkkEnTKgkwUTvsG+NbL1EIV4IDSWDNQosXYLWNHTDHc2XMTr98QAknTEl9DqPa V7Q4fW3u6aYF7uQmqwdhGQGdbUTM8BYjLoqdFgpyAp00Ae7tZ+P6vN8n59iB812Y O+va8hmg3Nzg5ENYXAFezb28N3q3SYPkOAydAshaFQBMJNsjLmwORLiIIiUbFEIg fUT50Qn0pT3BU8/Wiq3IOiFo7/uRZ0rtYQIDAQABo4GPMIGMMB8GA1UdIwQYMBaA FF1o2NacODcivU6KVWCzY0uD932IMA4GA1UdDwEB/wQEAwIBxjBEBggrBgEFBQcB AQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9pcGFzZXJ2ZXIxLmV4YW1wbGUuY29t OjgwL2NhL29jc3AwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQAD ggEBADLT6JRthj2EC48zKoixOyklk0xRNWxIrGKO9JL4CqDiz9MGk2v4Xktdo7TN G8/Nh0HQW3PSYSackUhRrRqaui1ON/usMU//6QMvK6n67z6OCAUgQ/MXnoDUKMKX yR6qE4ca/fCqxSnw0ud7Na2SlajJHyd1bmhpyaePQ8/aCbmCgJz9FvVT+Yie36lm 526Zm4cBR7DY0ppRCh7Lxbl9AX6IIcq+ZOHN7pDcZHvrPvw1tCJfh696U+P5vy8b flActKReFk6KJFmXoWXTCv1Hp2sixwL2On38GJhTXNgpN3aL2EPskEDcyhSjlqvT JgmAFqv4QWRL+ikr/pZErZFMIjA= Subject: CN=OCSP Subsystem,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Not Before: Wed Dec 12 16:46:19 2012 UTC Not After: Tue Dec 02 16:46:19 2014 UTC Fingerprint (MD5): b1:9f:1e:6b:3b:7e:31:11:9c:63:33:db:05:5c:2e:1c Fingerprint (SHA1): a8:82:06:27:d5:be:58:1a:49:4f:61:38:68:da:8b:af:d6:53:99:d5 Serial number (hex): 0x1 Serial number: 1 [root@ipaserver1 ~]# rpm -qf /usr/sbin/ipa-server-install ipa-server-2.2.0-16.el6.x86_64 ipa-server-install -help ... --external_cert_file=EXTERNAL_CERT_FILE File containing PKCS#10 certificate --external_ca_file=EXTERNAL_CA_FILE File containing PKCS#10 of the external CA chain and in the online RHEL IdM guide: the following link is right now broken: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/ creating-server.html#install-ca-options otherwise: the options listed are incomplete in: Chapter 2. Installing an IPA Server 2.4.1. About ipa-server-install Table 2.2. ipa-server-install Options page 16 but in page 396 Appendix C. IPA Tools Reference C.5.4.2. Syntax ipa-server-install ... ... external_ca_file=CA_cert_chain_file Points to the PKCS#10 file which contains the CA certificate chain of the external CA. This is required to validate the certificate issued by the CA for the IPA server. If an external CA is used, this is required in a second invocation of ipa- server-install to complete the setup process. -- Points to the PKCS#10 file external_cert_file=certificate_file which contains the certificate that was generated by an external CA. If an external CA is used, this is required in a second invocation of ipa- server-install to complete the setup process. PKCS #10 is a format that describes requests encoding, not certificates, more exactly: The public-key cryptography standard that governs certificate requests. to me, certificates can either be encoded in binary DER format, or base 64 encoding of DER, or encapsulated in PKCS #7, or protected in a PKCS #12 file which should be one of those depending on what the ipa-server-install options external_ca_file and external_cert_file want. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
May be backport to earlier version.
Current (FreeIPA/IdM 4.1) ipa-server-install inline help and man pages no longer refer to PKCS#10:
# ipa-server-install --help ... --external-ca Generate a CSR for the IPA CA certificate to be signed by an external CA --external-ca-type=EXTERNAL_CA_TYPE Type of the external CA --external-cert-file=FILE File containing the IPA CA certificate and the external CA certificate chain --no-pkinit disables pkinit setup steps --dirsrv-cert-file=FILE File containing the Directory Server SSL certificate and private key --http-cert-file=FILE File containing the Apache Server SSL certificate and private key --pkinit-cert-file=FILE File containing the Kerberos KDC SSL certificate and private key
I am thus marking this bug as fixed. Please feel free to reopen it if you disagree.
Metadata Update from @dpal: - Issue assigned to jdennis - Issue set to the milestone: FreeIPA 4.1
Login to comment on this ticket.