#4496 Windows Server 2012 CA does not accept CSR generated by IdM External CA installation
Closed: Fixed None Opened 7 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1129558

+++ This bug was initially created as a clone of Bug #790924 +++

Description of problem:

When pkisilent is run with the "-external" flag there are no X.509 v3
extensions added to the certificate signing request (CSR) to signify to the
certificate authority (CA) that the request is for a subordinate CA.  This
situation manifests in conditions where the CA is not a Red Hat Certificate
Server.

Version-Release number of selected component (if applicable):
[root@opskzld31 log]# rpm -qif `which pkisilent`
Name        : pki-silent                   Relocations: (not relocatable)
Version     : 9.0.3                             Vendor: Red Hat, Inc.
Release     : 20.el6                        Build Date: Mon 03 Oct 2011
08:08:55 PM EDT
Install Date: Mon 30 Jan 2012 12:34:19 PM EST      Build Host:
x86-002.build.bos.redhat.com
Group       : System Environment/Base       Source RPM:
pki-core-9.0.3-20.el6.src.rpm
Size        : 339099                           License: GPLv2
Signature   : RSA/8, Mon 07 Nov 2011 10:17:28 AM EST, Key ID 199e2f91fd431d51
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Silent Installer


How reproducible:


Steps to Reproduce:
1. Run pkisilent with the -external and -external_csr flags
2. ...
3. (no) Profit

Actual results:
[root@opskzld31 ssl_test]# cat dogtag.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC0jCCAboCAQAwfjELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s
aW5hMRAwDgYDVQQHEwdSYWxlaWdoMRUwEwYDVQQKEwxSZWQgSGF0LCBJbmMxLTAr
BgNVBAMTJERvZ3RhZyBTdWJvcmRpbmF0ZSBTaWduaW5nIEF1dGhvcml0eTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKSQZD1pB3nVMKEmhtflfplj6xW6
aR5ulle+oWprk8n22RaWX3qsxPo1cgaYXutJ9Zm2ZyOFdR9bE6lt5kyinDcWyiCL
xbnKhe6h/jTv7Y88lV3H/sY4qGBtmGssREJLVzH0QhGbq1Sm4rc3drRDZZj34lMv
pLoQO30YZqo/aV7H5CnszdVVPD5XAfF+2ui91Wq/C7bVNtyrqpcS17e+nbELhFkn
TqcISZsHnMVCeX1IAeMcN+cvAe6secwPkPI1xfOUJ1dAUQErcEwipDOaMRXVkkKf
I1ARz/EaHHQSLp/fguGwEVV6RBNU9rYNyZ6BGqpjexCEdeF4qWMoPWIByt8CAwEA
AaAPMA0GCSqGSIb3DQEJDjEAMA0GCSqGSIb3DQEBBQUAA4IBAQCUkV9hFQMsJzYk
9lq4Js4KsPTwYAWNTAPCzlaA77RO7coHN06xh8gkXC+MqSA5uiBqKh9BYQ9XL2h5
Q4JxI0SqUK5k/jtZjoha0Ve6mMssovxo0r36YUZP0gK8SOaB04uqfmw58OquhVUV
ANk4mdyFCyHY03yttmapA3/dGZRfZ+YdEQ9G7or2Hb3+8DJp0V8orni1nQByvzus
IZEYW72zLI1PgOdaP8AXA3OZq01NrUwkXyPH/IWJg3Be7KV/q4CYNxi2OlhFSfqI
B7JOMfe7oZUc7IRCFIQ/4dt36Rz6IDuKJ/dLuPQe34/JVTeqnPpdF18JRqzrvk7i
2NHJJPFI
-----END CERTIFICATE REQUEST-----
[root@opskzld31 ssl_test]# openssl req -in dogtag.csr -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc, CN=Dogtag
Subordinate Signing Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a4:90:64:3d:69:07:79:d5:30:a1:26:86:d7:e5:
                    7e:99:63:eb:15:ba:69:1e:6e:96:57:be:a1:6a:6b:
                    93:c9:f6:d9:16:96:5f:7a:ac:c4:fa:35:72:06:98:
                    5e:eb:49:f5:99:b6:67:23:85:75:1f:5b:13:a9:6d:
                    e6:4c:a2:9c:37:16:ca:20:8b:c5:b9:ca:85:ee:a1:
                    fe:34:ef:ed:8f:3c:95:5d:c7:fe:c6:38:a8:60:6d:
                    98:6b:2c:44:42:4b:57:31:f4:42:11:9b:ab:54:a6:
                    e2:b7:37:76:b4:43:65:98:f7:e2:53:2f:a4:ba:10:
                    3b:7d:18:66:aa:3f:69:5e:c7:e4:29:ec:cd:d5:55:
                    3c:3e:57:01:f1:7e:da:e8:bd:d5:6a:bf:0b:b6:d5:
                    36:dc:ab:aa:97:12:d7:b7:be:9d:b1:0b:84:59:27:
                    4e:a7:08:49:9b:07:9c:c5:42:79:7d:48:01:e3:1c:
                    37:e7:2f:01:ee:ac:79:cc:0f:90:f2:35:c5:f3:94:
                    27:57:40:51:01:2b:70:4c:22:a4:33:9a:31:15:d5:
                    92:42:9f:23:50:11:cf:f1:1a:1c:74:12:2e:9f:df:
                    82:e1:b0:11:55:7a:44:13:54:f6:b6:0d:c9:9e:81:
                    1a:aa:63:7b:10:84:75:e1:78:a9:63:28:3d:62:01:
                    ca:df
                Exponent: 65537 (0x10001)
        Attributes:
    Signature Algorithm: sha1WithRSAEncryption
        94:91:5f:61:15:03:2c:27:36:24:f6:5a:b8:26:ce:0a:b0:f4:
        f0:60:05:8d:4c:03:c2:ce:56:80:ef:b4:4e:ed:ca:07:37:4e:
        b1:87:c8:24:5c:2f:8c:a9:20:39:ba:20:6a:2a:1f:41:61:0f:
        57:2f:68:79:43:82:71:23:44:aa:50:ae:64:fe:3b:59:8e:88:
        5a:d1:57:ba:98:cb:2c:a2:fc:68:d2:bd:fa:61:46:4f:d2:02:
        bc:48:e6:81:d3:8b:aa:7e:6c:39:f0:ea:ae:85:55:15:00:d9:
        38:99:dc:85:0b:21:d8:d3:7c:ad:b6:66:a9:03:7f:dd:19:94:
        5f:67:e6:1d:11:0f:46:ee:8a:f6:1d:bd:fe:f0:32:69:d1:5f:
        28:ae:78:b5:9d:00:72:bf:3b:ac:21:91:18:5b:bd:b3:2c:8d:
        4f:80:e7:5a:3f:c0:17:03:73:99:ab:4d:4d:ad:4c:24:5f:23:
        c7:fc:85:89:83:70:5e:ec:a5:7f:ab:80:98:37:18:b6:3a:58:
        45:49:fa:88:07:b2:4e:31:f7:bb:a1:95:1c:ec:84:42:14:84:
        3f:e1:db:77:e9:1c:fa:20:3b:8a:27:f7:4b:b8:f4:1e:df:8f:
        c9:55:37:aa:9c:fa:5d:17:5f:09:46:ac:eb:be:4e:e2:d8:d1:
        c9:24:f1:48


Expected results:
[root@opskzld31 ssl_test]# cat dogtag.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIDAjCCAeoCAQAwfjELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9s
aW5hMRAwDgYDVQQHEwdSYWxlaWdoMRUwEwYDVQQKEwxSZWQgSGF0LCBJbmMxLTAr
BgNVBAMTJERvZ3RhZyBTdWJvcmRpbmF0ZSBTaWduaW5nIEF1dGhvcml0eTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKSQZD1pB3nVMKEmhtflfplj6xW6
aR5ulle+oWprk8n22RaWX3qsxPo1cgaYXutJ9Zm2ZyOFdR9bE6lt5kyinDcWyiCL
xbnKhe6h/jTv7Y88lV3H/sY4qGBtmGssREJLVzH0QhGbq1Sm4rc3drRDZZj34lMv
pLoQO30YZqo/aV7H5CnszdVVPD5XAfF+2ui91Wq/C7bVNtyrqpcS17e+nbELhFkn
TqcISZsHnMVCeX1IAeMcN+cvAe6secwPkPI1xfOUJ1dAUQErcEwipDOaMRXVkkKf
I1ARz/EaHHQSLp/fguGwEVV6RBNU9rYNyZ6BGqpjexCEdeF4qWMoPWIByt8CAwEA
AaA/MD0GCSqGSIb3DQEJDjEwMC4wDAYDVR0TBAUwAwEB/zARBglghkgBhvhCAQEE
BAMCAgQwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQB2uliTrHYQkjeb
HVKWg6n5TyyosweFC/QTTis7m7SmlCVMQri63Yp3vXYU2dQ0veAglcECxANVAqZu
9fsrRcvB+NEBrVycEA/VZd1gZ3y/Bw/ByJsk7CIlRdtRivuupDVF1dILjff+vMz8
qVh5Z15d6ff3m6p3IqTBxJjeUNmqRFkLMEJJmDqkM4R5adMU+rCI4V9ILwlO2g0s
tgWMaMFe82GET+TwW+I+NMRWO67S+slJzOP04hDVK0iSC93MbooFPoOArhrQVwmX
zYZY+llnbYdaILHDNt3P/WWMgAiTmlEksaJbL8UCTRQRP881IpguqJZDP1O5uVhU
OjNA13M+
-----END CERTIFICATE REQUEST-----
[root@opskzld31 ssl_test]# openssl req -in dogtag.csr -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=North Carolina, L=Raleigh, O=Red Hat, Inc, CN=Dogtag
Subordinate Signing Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a4:90:64:3d:69:07:79:d5:30:a1:26:86:d7:e5:
                    7e:99:63:eb:15:ba:69:1e:6e:96:57:be:a1:6a:6b:
                    93:c9:f6:d9:16:96:5f:7a:ac:c4:fa:35:72:06:98:
                    5e:eb:49:f5:99:b6:67:23:85:75:1f:5b:13:a9:6d:
                    e6:4c:a2:9c:37:16:ca:20:8b:c5:b9:ca:85:ee:a1:
                    fe:34:ef:ed:8f:3c:95:5d:c7:fe:c6:38:a8:60:6d:
                    98:6b:2c:44:42:4b:57:31:f4:42:11:9b:ab:54:a6:
                    e2:b7:37:76:b4:43:65:98:f7:e2:53:2f:a4:ba:10:
                    3b:7d:18:66:aa:3f:69:5e:c7:e4:29:ec:cd:d5:55:
                    3c:3e:57:01:f1:7e:da:e8:bd:d5:6a:bf:0b:b6:d5:
                    36:dc:ab:aa:97:12:d7:b7:be:9d:b1:0b:84:59:27:
                    4e:a7:08:49:9b:07:9c:c5:42:79:7d:48:01:e3:1c:
                    37:e7:2f:01:ee:ac:79:cc:0f:90:f2:35:c5:f3:94:
                    27:57:40:51:01:2b:70:4c:22:a4:33:9a:31:15:d5:
                    92:42:9f:23:50:11:cf:f1:1a:1c:74:12:2e:9f:df:
                    82:e1:b0:11:55:7a:44:13:54:f6:b6:0d:c9:9e:81:
                    1a:aa:63:7b:10:84:75:e1:78:a9:63:28:3d:62:01:
                    ca:df
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints:
                CA:TRUE
            Netscape Cert Type:
                SSL CA
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
    Signature Algorithm: sha1WithRSAEncryption
        76:ba:58:93:ac:76:10:92:37:9b:1d:52:96:83:a9:f9:4f:2c:
        a8:b3:07:85:0b:f4:13:4e:2b:3b:9b:b4:a6:94:25:4c:42:b8:
        ba:dd:8a:77:bd:76:14:d9:d4:34:bd:e0:20:95:c1:02:c4:03:
        55:02:a6:6e:f5:fb:2b:45:cb:c1:f8:d1:01:ad:5c:9c:10:0f:
        d5:65:dd:60:67:7c:bf:07:0f:c1:c8:9b:24:ec:22:25:45:db:
        51:8a:fb:ae:a4:35:45:d5:d2:0b:8d:f7:fe:bc:cc:fc:a9:58:
        79:67:5e:5d:e9:f7:f7:9b:aa:77:22:a4:c1:c4:98:de:50:d9:
        aa:44:59:0b:30:42:49:98:3a:a4:33:84:79:69:d3:14:fa:b0:
        88:e1:5f:48:2f:09:4e:da:0d:2c:b6:05:8c:68:c1:5e:f3:61:
        84:4f:e4:f0:5b:e2:3e:34:c4:56:3b:ae:d2:fa:c9:49:cc:e3:
        f4:e2:10:d5:2b:48:92:0b:dd:cc:6e:8a:05:3e:83:80:ae:1a:
        d0:57:09:97:cd:86:58:fa:59:67:6d:87:5a:20:b1:c3:36:dd:
        cf:fd:65:8c:80:08:93:9a:51:24:b1:a2:5b:2f:c5:02:4d:14:
        11:3f:cf:35:22:98:2e:a8:96:43:3f:53:b9:b9:58:54:3a:33:
        40:d7:73:3e

Additional info:

...
--- Additional comment from Martin Kosek on 2014-07-29 07:57:46 EDT ---

I did a quick test with

ipa-server-3.3.3-28.el7.x86_64
pki-ca-10.0.5-3.el7.noarch

and generated a IPA with CSR request:

# ipa-server-install --external-ca
...
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring certificate server (pki-tomcatd): Estimated time 3 minutes 30
seconds
  [1/6]: creating certificate server user
  [2/6]: configuring certificate server instance
The next step is to get /root/ipa.csr signed by your CA and re-run
ipa-server-install as:
ipa-server-install --external_cert_file=/path/to/signed_certificate
--external_ca_file=/path/to/external_ca_certificate

# openssl req -in /root/ipa.csr -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: O=IDM.LAB.BOS.REDHAT.COM, CN=Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9e:51:15:d4:44:3c:b0:ef:87:fc:fa:09:a7:a8:
                    db:4c:01:5e:1f:b1:32:86:99:ca:c8:d3:ae:e0:65:
                    d3:c2:58:64:67:5c:99:1b:df:92:1f:f9:e3:13:cc:
                    b7:54:a4:b7:95:98:f6:b0:7b:40:c2:9f:79:22:7b:
                    bb:67:3e:d2:f4:82:0b:8a:2d:10:f1:ba:20:63:8f:
                    ce:5b:3f:0b:00:b7:2c:47:e6:98:64:9f:df:42:af:
                    ff:de:ec:69:14:fa:76:77:be:fa:26:6f:82:55:9a:
                    61:f5:04:f2:c0:7a:27:d2:83:d1:e6:9e:a8:55:1e:
                    9e:b3:a6:a4:f3:c4:73:35:62:fc:8e:e5:bd:81:fc:
                    7c:50:36:7c:de:c7:d5:74:36:85:e3:05:8e:e8:e5:
                    a2:c7:11:89:c7:fe:56:38:57:10:dd:31:cc:7b:6c:
                    21:24:50:fe:f6:8b:4a:14:6c:d0:f6:f5:09:e7:33:
                    39:13:27:7e:d2:35:d3:97:f5:62:f1:84:33:17:3f:
                    95:99:27:9b:c5:a0:59:0f:ba:ae:c0:4e:18:87:0d:
                    e3:a8:0b:3d:be:31:f8:25:2b:67:e9:59:b8:6f:50:
                    d5:f2:72:68:16:41:af:10:a9:5a:17:d3:df:1f:33:
                    b5:df:e2:0c:7d:e4:c0:f9:39:73:47:0b:d9:b4:0f:
                    8c:6b
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         06:c9:c8:ff:37:4b:75:d3:5d:4e:56:c7:fa:22:7d:6d:f1:fd:
         64:96:0d:90:28:c9:4d:77:cc:ec:54:69:23:07:49:34:e4:e2:
         15:10:8a:ac:f5:12:4f:65:d9:82:e1:96:74:c7:45:0b:e4:09:
         db:d0:c9:03:57:6c:51:7b:65:ac:2f:06:13:f0:20:bc:a4:41:
         9b:8f:1b:e8:e3:26:5b:da:43:31:c2:41:93:da:c2:8b:a2:c6:
         3e:8c:66:a3:a1:94:f5:0a:27:96:c2:11:89:cb:a9:64:0f:09:
         ab:44:c9:7a:44:18:94:3f:29:5a:78:c4:e1:e4:df:e0:70:7f:
         52:be:1b:f3:e7:73:d9:f9:4d:16:38:6c:85:43:a1:74:05:d6:
         eb:eb:a4:93:12:b6:10:98:81:31:97:f5:03:9d:b7:f3:7c:e6:
         18:9e:1c:5d:c0:94:bd:27:0d:0f:a2:f5:24:a5:74:c7:13:45:
         5d:36:b4:a3:e8:2f:a5:8a:5f:1e:30:62:33:71:65:49:4e:6f:
         ce:3c:f2:d0:3e:88:e2:d1:d6:fc:b8:d0:9b:94:8b:47:63:43:
         cd:0b:49:f9:ff:06:c6:80:67:81:9c:89:b1:47:a5:c1:95:38:
         ec:70:0b:7b:13:26:99:27:a7:97:5a:64:d3:d0:6d:63:f5:41:
         82:7f:c5:f5
-----BEGIN CERTIFICATE REQUEST-----
MIIChjCCAW4CAQAwQTEfMB0GA1UEChMWSURNLkxBQi5CT1MuUkVESEFULkNPTTEe
MBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAnlEV1EQ8sO+H/PoJp6jbTAFeH7EyhpnKyNOu4GXTwlhk
Z1yZG9+SH/njE8y3VKS3lZj2sHtAwp95Inu7Zz7S9IILii0Q8bogY4/OWz8LALcs
R+aYZJ/fQq//3uxpFPp2d776Jm+CVZph9QTywHon0oPR5p6oVR6es6ak88RzNWL8
juW9gfx8UDZ83sfVdDaF4wWO6OWixxGJx/5WOFcQ3THMe2whJFD+9otKFGzQ9vUJ
5zM5Eyd+0jXTl/Vi8YQzFz+VmSebxaBZD7quwE4Yhw3jqAs9vjH4JStn6Vm4b1DV
8nJoFkGvEKlaF9PfHzO13+IMfeTA+TlzRwvZtA+MawIDAQABoAAwDQYJKoZIhvcN
AQELBQADggEBAAbJyP83S3XTXU5Wx/oifW3x/WSWDZAoyU13zOxUaSMHSTTk4hUQ
iqz1Ek9l2YLhlnTHRQvkCdvQyQNXbFF7ZawvBhPwILykQZuPG+jjJlvaQzHCQZPa
wouixj6MZqOhlPUKJ5bCEYnLqWQPCatEyXpEGJQ/KVp4xOHk3+Bwf1K+G/Pnc9n5
TRY4bIVDoXQF1uvrpJMSthCYgTGX9QOdt/N85hieHF3AlL0nDQ+i9SSldMcTRV02
tKPoL6WKXx4wYjNxZUlOb8488tA+iOLR1vy40JuUi0djQ80LSfn/BsaAZ4GcibFH
pcGVOOxwC3sTJpknp5daZNPQbWP1QYJ/xfU=
-----END CERTIFICATE REQUEST-----

and found that the resulting CSR is indeed not digestable by Windows 2012
Server CA. I will attach a screenshot with exact error message.

...
--- Additional comment from Christina Fu on 2014-07-29 12:46:48 EDT ---

The idea that I shared with atolani was the following (Note: I don't know where
IPA places things so it's more of an idea than exact steps):
To do "external CA", the tool has to be run twice, as I
understand.  The first time is to generate the CSR, and the 2nd time is to
install the cert after submitting the CSR to the CA. The idea is that the CSR
 could be replaced at that time in between the two runs of the tool.  You
regenerate the CSR with whatever tool that suits you. During that time, you
want to also swap in the keys.  Once you have swapped in the keys to the proper
location (where the keys are was something atolani was to find out), and the
CSR, submit the proper CSR to the external CA and you can continue from there.

atolani, I suggest you put in the detailed steps after your experiment if you
get it to work.

Incidentally, I was thinking about how useful it would be if one could just
reuse existing keypair to generate a new CSR with different extensions. If no
such tool exists, we can possibly consider that for the future.

I think the fix for the issue at hand is probably not just to add
BasicConstraint extension to a subordinate CA. Rather, we should consider
allowing one to craft the CSR in finer details.
Of course when the "external CA" is our own Dogtag CA then such issue does not
exist because we have enrollment profiles to serve the purpose on the server
end.

--- Additional comment from Martin Kosek on 2014-07-30 02:51:49 EDT ---

Thanks Christina. JFTR, this is indeed a 2 step installation. First,
ipa-server-install is run with --external-ca, when CSR is signed, it is run
again with --external_cert_file and --external_ca_file options. See

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/L
inux_Domain_Identity_Authentication_and_Policy_Guide/install-ca-options.html#in
stall-ca-external

for details.

IPA in RHEL-7.0 generates the CSR in /root/ipa.csr. PKI is installed in
/var/lib/pki/pki-tomcat/. I am not sure where the key is though.
/var/lib/pki/pki-tomcat/ca/alias/ contains just the "Server-Cert cert-pki-ca".

Honza will take care of this one.

FreeIPA command line support is fixed, we are just waiting what will be the result with Bug 1151147.

master:

  • 4cdeacd Support MS CS as the external CA in ipa-server-install and ipa-ca-install

ipa-4-1:

  • fdf46ac Support MS CS as the external CA in ipa-server-install and ipa-ca-install

This feature is complete now, it should not block 4.1.

Bumping PKI requires is tracked in #4645.

Metadata Update from @mkosek:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.1

4 years ago

Login to comment on this ticket.

Metadata