Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1129558
+++ This bug was initially created as a clone of Bug #790924 +++ Description of problem: When pkisilent is run with the "-external" flag there are no X.509 v3 extensions added to the certificate signing request (CSR) to signify to the certificate authority (CA) that the request is for a subordinate CA. This situation manifests in conditions where the CA is not a Red Hat Certificate Server. Version-Release number of selected component (if applicable): [root@opskzld31 log]# rpm -qif `which pkisilent` Name : pki-silent Relocations: (not relocatable) Version : 9.0.3 Vendor: Red Hat, Inc. Release : 20.el6 Build Date: Mon 03 Oct 2011 08:08:55 PM EDT Install Date: Mon 30 Jan 2012 12:34:19 PM EST Build Host: x86-002.build.bos.redhat.com Group : System Environment/Base Source RPM: pki-core-9.0.3-20.el6.src.rpm Size : 339099 License: GPLv2 Signature : RSA/8, Mon 07 Nov 2011 10:17:28 AM EST, Key ID 199e2f91fd431d51 Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://pki.fedoraproject.org/ Summary : Certificate System - Silent Installer How reproducible: Steps to Reproduce: 1. Run pkisilent with the -external and -external_csr flags 2. ... 3. (no) Profit Actual results: [root@opskzld31 ssl_test]# cat dogtag.csr -----BEGIN CERTIFICATE REQUEST----- MIIC0jCCAboCAQAwfjELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s aW5hMRAwDgYDVQQHEwdSYWxlaWdoMRUwEwYDVQQKEwxSZWQgSGF0LCBJbmMxLTAr BgNVBAMTJERvZ3RhZyBTdWJvcmRpbmF0ZSBTaWduaW5nIEF1dGhvcml0eTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKSQZD1pB3nVMKEmhtflfplj6xW6 aR5ulle+oWprk8n22RaWX3qsxPo1cgaYXutJ9Zm2ZyOFdR9bE6lt5kyinDcWyiCL xbnKhe6h/jTv7Y88lV3H/sY4qGBtmGssREJLVzH0QhGbq1Sm4rc3drRDZZj34lMv pLoQO30YZqo/aV7H5CnszdVVPD5XAfF+2ui91Wq/C7bVNtyrqpcS17e+nbELhFkn TqcISZsHnMVCeX1IAeMcN+cvAe6secwPkPI1xfOUJ1dAUQErcEwipDOaMRXVkkKf I1ARz/EaHHQSLp/fguGwEVV6RBNU9rYNyZ6BGqpjexCEdeF4qWMoPWIByt8CAwEA AaAPMA0GCSqGSIb3DQEJDjEAMA0GCSqGSIb3DQEBBQUAA4IBAQCUkV9hFQMsJzYk 9lq4Js4KsPTwYAWNTAPCzlaA77RO7coHN06xh8gkXC+MqSA5uiBqKh9BYQ9XL2h5 Q4JxI0SqUK5k/jtZjoha0Ve6mMssovxo0r36YUZP0gK8SOaB04uqfmw58OquhVUV ANk4mdyFCyHY03yttmapA3/dGZRfZ+YdEQ9G7or2Hb3+8DJp0V8orni1nQByvzus IZEYW72zLI1PgOdaP8AXA3OZq01NrUwkXyPH/IWJg3Be7KV/q4CYNxi2OlhFSfqI B7JOMfe7oZUc7IRCFIQ/4dt36Rz6IDuKJ/dLuPQe34/JVTeqnPpdF18JRqzrvk7i 2NHJJPFI -----END CERTIFICATE REQUEST----- [root@opskzld31 ssl_test]# openssl req -in dogtag.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc, CN=Dogtag Subordinate Signing Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a4:90:64:3d:69:07:79:d5:30:a1:26:86:d7:e5: 7e:99:63:eb:15:ba:69:1e:6e:96:57:be:a1:6a:6b: 93:c9:f6:d9:16:96:5f:7a:ac:c4:fa:35:72:06:98: 5e:eb:49:f5:99:b6:67:23:85:75:1f:5b:13:a9:6d: e6:4c:a2:9c:37:16:ca:20:8b:c5:b9:ca:85:ee:a1: fe:34:ef:ed:8f:3c:95:5d:c7:fe:c6:38:a8:60:6d: 98:6b:2c:44:42:4b:57:31:f4:42:11:9b:ab:54:a6: e2:b7:37:76:b4:43:65:98:f7:e2:53:2f:a4:ba:10: 3b:7d:18:66:aa:3f:69:5e:c7:e4:29:ec:cd:d5:55: 3c:3e:57:01:f1:7e:da:e8:bd:d5:6a:bf:0b:b6:d5: 36:dc:ab:aa:97:12:d7:b7:be:9d:b1:0b:84:59:27: 4e:a7:08:49:9b:07:9c:c5:42:79:7d:48:01:e3:1c: 37:e7:2f:01:ee:ac:79:cc:0f:90:f2:35:c5:f3:94: 27:57:40:51:01:2b:70:4c:22:a4:33:9a:31:15:d5: 92:42:9f:23:50:11:cf:f1:1a:1c:74:12:2e:9f:df: 82:e1:b0:11:55:7a:44:13:54:f6:b6:0d:c9:9e:81: 1a:aa:63:7b:10:84:75:e1:78:a9:63:28:3d:62:01: ca:df Exponent: 65537 (0x10001) Attributes: Signature Algorithm: sha1WithRSAEncryption 94:91:5f:61:15:03:2c:27:36:24:f6:5a:b8:26:ce:0a:b0:f4: f0:60:05:8d:4c:03:c2:ce:56:80:ef:b4:4e:ed:ca:07:37:4e: b1:87:c8:24:5c:2f:8c:a9:20:39:ba:20:6a:2a:1f:41:61:0f: 57:2f:68:79:43:82:71:23:44:aa:50:ae:64:fe:3b:59:8e:88: 5a:d1:57:ba:98:cb:2c:a2:fc:68:d2:bd:fa:61:46:4f:d2:02: bc:48:e6:81:d3:8b:aa:7e:6c:39:f0:ea:ae:85:55:15:00:d9: 38:99:dc:85:0b:21:d8:d3:7c:ad:b6:66:a9:03:7f:dd:19:94: 5f:67:e6:1d:11:0f:46:ee:8a:f6:1d:bd:fe:f0:32:69:d1:5f: 28:ae:78:b5:9d:00:72:bf:3b:ac:21:91:18:5b:bd:b3:2c:8d: 4f:80:e7:5a:3f:c0:17:03:73:99:ab:4d:4d:ad:4c:24:5f:23: c7:fc:85:89:83:70:5e:ec:a5:7f:ab:80:98:37:18:b6:3a:58: 45:49:fa:88:07:b2:4e:31:f7:bb:a1:95:1c:ec:84:42:14:84: 3f:e1:db:77:e9:1c:fa:20:3b:8a:27:f7:4b:b8:f4:1e:df:8f: c9:55:37:aa:9c:fa:5d:17:5f:09:46:ac:eb:be:4e:e2:d8:d1: c9:24:f1:48 Expected results: [root@opskzld31 ssl_test]# cat dogtag.csr -----BEGIN CERTIFICATE REQUEST----- MIIDAjCCAeoCAQAwfjELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s aW5hMRAwDgYDVQQHEwdSYWxlaWdoMRUwEwYDVQQKEwxSZWQgSGF0LCBJbmMxLTAr BgNVBAMTJERvZ3RhZyBTdWJvcmRpbmF0ZSBTaWduaW5nIEF1dGhvcml0eTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKSQZD1pB3nVMKEmhtflfplj6xW6 aR5ulle+oWprk8n22RaWX3qsxPo1cgaYXutJ9Zm2ZyOFdR9bE6lt5kyinDcWyiCL xbnKhe6h/jTv7Y88lV3H/sY4qGBtmGssREJLVzH0QhGbq1Sm4rc3drRDZZj34lMv pLoQO30YZqo/aV7H5CnszdVVPD5XAfF+2ui91Wq/C7bVNtyrqpcS17e+nbELhFkn TqcISZsHnMVCeX1IAeMcN+cvAe6secwPkPI1xfOUJ1dAUQErcEwipDOaMRXVkkKf I1ARz/EaHHQSLp/fguGwEVV6RBNU9rYNyZ6BGqpjexCEdeF4qWMoPWIByt8CAwEA AaA/MD0GCSqGSIb3DQEJDjEwMC4wDAYDVR0TBAUwAwEB/zARBglghkgBhvhCAQEE BAMCAgQwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQB2uliTrHYQkjeb HVKWg6n5TyyosweFC/QTTis7m7SmlCVMQri63Yp3vXYU2dQ0veAglcECxANVAqZu 9fsrRcvB+NEBrVycEA/VZd1gZ3y/Bw/ByJsk7CIlRdtRivuupDVF1dILjff+vMz8 qVh5Z15d6ff3m6p3IqTBxJjeUNmqRFkLMEJJmDqkM4R5adMU+rCI4V9ILwlO2g0s tgWMaMFe82GET+TwW+I+NMRWO67S+slJzOP04hDVK0iSC93MbooFPoOArhrQVwmX zYZY+llnbYdaILHDNt3P/WWMgAiTmlEksaJbL8UCTRQRP881IpguqJZDP1O5uVhU OjNA13M+ -----END CERTIFICATE REQUEST----- [root@opskzld31 ssl_test]# openssl req -in dogtag.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc, CN=Dogtag Subordinate Signing Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a4:90:64:3d:69:07:79:d5:30:a1:26:86:d7:e5: 7e:99:63:eb:15:ba:69:1e:6e:96:57:be:a1:6a:6b: 93:c9:f6:d9:16:96:5f:7a:ac:c4:fa:35:72:06:98: 5e:eb:49:f5:99:b6:67:23:85:75:1f:5b:13:a9:6d: e6:4c:a2:9c:37:16:ca:20:8b:c5:b9:ca:85:ee:a1: fe:34:ef:ed:8f:3c:95:5d:c7:fe:c6:38:a8:60:6d: 98:6b:2c:44:42:4b:57:31:f4:42:11:9b:ab:54:a6: e2:b7:37:76:b4:43:65:98:f7:e2:53:2f:a4:ba:10: 3b:7d:18:66:aa:3f:69:5e:c7:e4:29:ec:cd:d5:55: 3c:3e:57:01:f1:7e:da:e8:bd:d5:6a:bf:0b:b6:d5: 36:dc:ab:aa:97:12:d7:b7:be:9d:b1:0b:84:59:27: 4e:a7:08:49:9b:07:9c:c5:42:79:7d:48:01:e3:1c: 37:e7:2f:01:ee:ac:79:cc:0f:90:f2:35:c5:f3:94: 27:57:40:51:01:2b:70:4c:22:a4:33:9a:31:15:d5: 92:42:9f:23:50:11:cf:f1:1a:1c:74:12:2e:9f:df: 82:e1:b0:11:55:7a:44:13:54:f6:b6:0d:c9:9e:81: 1a:aa:63:7b:10:84:75:e1:78:a9:63:28:3d:62:01: ca:df Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Basic Constraints: CA:TRUE Netscape Cert Type: SSL CA X509v3 Key Usage: Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption 76:ba:58:93:ac:76:10:92:37:9b:1d:52:96:83:a9:f9:4f:2c: a8:b3:07:85:0b:f4:13:4e:2b:3b:9b:b4:a6:94:25:4c:42:b8: ba:dd:8a:77:bd:76:14:d9:d4:34:bd:e0:20:95:c1:02:c4:03: 55:02:a6:6e:f5:fb:2b:45:cb:c1:f8:d1:01:ad:5c:9c:10:0f: d5:65:dd:60:67:7c:bf:07:0f:c1:c8:9b:24:ec:22:25:45:db: 51:8a:fb:ae:a4:35:45:d5:d2:0b:8d:f7:fe:bc:cc:fc:a9:58: 79:67:5e:5d:e9:f7:f7:9b:aa:77:22:a4:c1:c4:98:de:50:d9: aa:44:59:0b:30:42:49:98:3a:a4:33:84:79:69:d3:14:fa:b0: 88:e1:5f:48:2f:09:4e:da:0d:2c:b6:05:8c:68:c1:5e:f3:61: 84:4f:e4:f0:5b:e2:3e:34:c4:56:3b:ae:d2:fa:c9:49:cc:e3: f4:e2:10:d5:2b:48:92:0b:dd:cc:6e:8a:05:3e:83:80:ae:1a: d0:57:09:97:cd:86:58:fa:59:67:6d:87:5a:20:b1:c3:36:dd: cf:fd:65:8c:80:08:93:9a:51:24:b1:a2:5b:2f:c5:02:4d:14: 11:3f:cf:35:22:98:2e:a8:96:43:3f:53:b9:b9:58:54:3a:33: 40:d7:73:3e Additional info: ... --- Additional comment from Martin Kosek on 2014-07-29 07:57:46 EDT --- I did a quick test with ipa-server-3.3.3-28.el7.x86_64 pki-ca-10.0.5-3.el7.noarch and generated a IPA with CSR request: # ipa-server-install --external-ca ... [38/38]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30 seconds [1/6]: creating certificate server user [2/6]: configuring certificate server instance The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-install as: ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate # openssl req -in /root/ipa.csr -text Certificate Request: Data: Version: 0 (0x0) Subject: O=IDM.LAB.BOS.REDHAT.COM, CN=Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:9e:51:15:d4:44:3c:b0:ef:87:fc:fa:09:a7:a8: db:4c:01:5e:1f:b1:32:86:99:ca:c8:d3:ae:e0:65: d3:c2:58:64:67:5c:99:1b:df:92:1f:f9:e3:13:cc: b7:54:a4:b7:95:98:f6:b0:7b:40:c2:9f:79:22:7b: bb:67:3e:d2:f4:82:0b:8a:2d:10:f1:ba:20:63:8f: ce:5b:3f:0b:00:b7:2c:47:e6:98:64:9f:df:42:af: ff:de:ec:69:14:fa:76:77:be:fa:26:6f:82:55:9a: 61:f5:04:f2:c0:7a:27:d2:83:d1:e6:9e:a8:55:1e: 9e:b3:a6:a4:f3:c4:73:35:62:fc:8e:e5:bd:81:fc: 7c:50:36:7c:de:c7:d5:74:36:85:e3:05:8e:e8:e5: a2:c7:11:89:c7:fe:56:38:57:10:dd:31:cc:7b:6c: 21:24:50:fe:f6:8b:4a:14:6c:d0:f6:f5:09:e7:33: 39:13:27:7e:d2:35:d3:97:f5:62:f1:84:33:17:3f: 95:99:27:9b:c5:a0:59:0f:ba:ae:c0:4e:18:87:0d: e3:a8:0b:3d:be:31:f8:25:2b:67:e9:59:b8:6f:50: d5:f2:72:68:16:41:af:10:a9:5a:17:d3:df:1f:33: b5:df:e2:0c:7d:e4:c0:f9:39:73:47:0b:d9:b4:0f: 8c:6b Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 06:c9:c8:ff:37:4b:75:d3:5d:4e:56:c7:fa:22:7d:6d:f1:fd: 64:96:0d:90:28:c9:4d:77:cc:ec:54:69:23:07:49:34:e4:e2: 15:10:8a:ac:f5:12:4f:65:d9:82:e1:96:74:c7:45:0b:e4:09: db:d0:c9:03:57:6c:51:7b:65:ac:2f:06:13:f0:20:bc:a4:41: 9b:8f:1b:e8:e3:26:5b:da:43:31:c2:41:93:da:c2:8b:a2:c6: 3e:8c:66:a3:a1:94:f5:0a:27:96:c2:11:89:cb:a9:64:0f:09: ab:44:c9:7a:44:18:94:3f:29:5a:78:c4:e1:e4:df:e0:70:7f: 52:be:1b:f3:e7:73:d9:f9:4d:16:38:6c:85:43:a1:74:05:d6: eb:eb:a4:93:12:b6:10:98:81:31:97:f5:03:9d:b7:f3:7c:e6: 18:9e:1c:5d:c0:94:bd:27:0d:0f:a2:f5:24:a5:74:c7:13:45: 5d:36:b4:a3:e8:2f:a5:8a:5f:1e:30:62:33:71:65:49:4e:6f: ce:3c:f2:d0:3e:88:e2:d1:d6:fc:b8:d0:9b:94:8b:47:63:43: cd:0b:49:f9:ff:06:c6:80:67:81:9c:89:b1:47:a5:c1:95:38: ec:70:0b:7b:13:26:99:27:a7:97:5a:64:d3:d0:6d:63:f5:41: 82:7f:c5:f5 -----BEGIN CERTIFICATE REQUEST----- MIIChjCCAW4CAQAwQTEfMB0GA1UEChMWSURNLkxBQi5CT1MuUkVESEFULkNPTTEe MBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAnlEV1EQ8sO+H/PoJp6jbTAFeH7EyhpnKyNOu4GXTwlhk Z1yZG9+SH/njE8y3VKS3lZj2sHtAwp95Inu7Zz7S9IILii0Q8bogY4/OWz8LALcs R+aYZJ/fQq//3uxpFPp2d776Jm+CVZph9QTywHon0oPR5p6oVR6es6ak88RzNWL8 juW9gfx8UDZ83sfVdDaF4wWO6OWixxGJx/5WOFcQ3THMe2whJFD+9otKFGzQ9vUJ 5zM5Eyd+0jXTl/Vi8YQzFz+VmSebxaBZD7quwE4Yhw3jqAs9vjH4JStn6Vm4b1DV 8nJoFkGvEKlaF9PfHzO13+IMfeTA+TlzRwvZtA+MawIDAQABoAAwDQYJKoZIhvcN AQELBQADggEBAAbJyP83S3XTXU5Wx/oifW3x/WSWDZAoyU13zOxUaSMHSTTk4hUQ iqz1Ek9l2YLhlnTHRQvkCdvQyQNXbFF7ZawvBhPwILykQZuPG+jjJlvaQzHCQZPa wouixj6MZqOhlPUKJ5bCEYnLqWQPCatEyXpEGJQ/KVp4xOHk3+Bwf1K+G/Pnc9n5 TRY4bIVDoXQF1uvrpJMSthCYgTGX9QOdt/N85hieHF3AlL0nDQ+i9SSldMcTRV02 tKPoL6WKXx4wYjNxZUlOb8488tA+iOLR1vy40JuUi0djQ80LSfn/BsaAZ4GcibFH pcGVOOxwC3sTJpknp5daZNPQbWP1QYJ/xfU= -----END CERTIFICATE REQUEST----- and found that the resulting CSR is indeed not digestable by Windows 2012 Server CA. I will attach a screenshot with exact error message. ... --- Additional comment from Christina Fu on 2014-07-29 12:46:48 EDT --- The idea that I shared with atolani was the following (Note: I don't know where IPA places things so it's more of an idea than exact steps): To do "external CA", the tool has to be run twice, as I understand. The first time is to generate the CSR, and the 2nd time is to install the cert after submitting the CSR to the CA. The idea is that the CSR could be replaced at that time in between the two runs of the tool. You regenerate the CSR with whatever tool that suits you. During that time, you want to also swap in the keys. Once you have swapped in the keys to the proper location (where the keys are was something atolani was to find out), and the CSR, submit the proper CSR to the external CA and you can continue from there. atolani, I suggest you put in the detailed steps after your experiment if you get it to work. Incidentally, I was thinking about how useful it would be if one could just reuse existing keypair to generate a new CSR with different extensions. If no such tool exists, we can possibly consider that for the future. I think the fix for the issue at hand is probably not just to add BasicConstraint extension to a subordinate CA. Rather, we should consider allowing one to craft the CSR in finer details. Of course when the "external CA" is our own Dogtag CA then such issue does not exist because we have enrollment profiles to serve the purpose on the server end. --- Additional comment from Martin Kosek on 2014-07-30 02:51:49 EDT --- Thanks Christina. JFTR, this is indeed a 2 step installation. First, ipa-server-install is run with --external-ca, when CSR is signed, it is run again with --external_cert_file and --external_ca_file options. See https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/L inux_Domain_Identity_Authentication_and_Policy_Guide/install-ca-options.html#in stall-ca-external for details. IPA in RHEL-7.0 generates the CSR in /root/ipa.csr. PKI is installed in /var/lib/pki/pki-tomcat/. I am not sure where the key is though. /var/lib/pki/pki-tomcat/ca/alias/ contains just the "Server-Cert cert-pki-ca".
Honza will take care of this one.
FreeIPA command line support is fixed, we are just waiting what will be the result with Bug 1151147.
master:
ipa-4-1:
This feature is complete now, it should not block 4.1.
Bumping PKI requires is tracked in #4645.
Metadata Update from @mkosek: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.1
Login to comment on this ticket.