Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1322963
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: Windows 2012AD cannot sign csr due to this error: "Submitted CSR is invalid it has embedded with the predefined template name called ?ipaCSRExport?, While submitting request to Its creating conflicting with the actual SUBCA template on CA server ." The field that they are talking about is: 1.3.6.1.4.1.311.20.2: Which corresponds to: ...i.p.a.C.S.R.E.x.p.o.r.t But it looks like MS uses this field for another purpose. https://support.microsoft.com/en-us/kb/287547 Version-Release number of selected component (if applicable): How reproducible: When going through standard signing request, it gives the error. Steps to Reproduce: 1. Created ipa.csr 2. Sent to W21012 AC to sign 3. Get the above error when attempting normal channels Can get a signed certificate (but doesn't seem to be a root ca) by doing: We were able to get a signed cert by doing the following: Certificate Sign Request (.CSR) 1.) Login to Windows AD box 2.) Install the ?Active Directory Certificate Services? server role (if it is not installed) 3.) Go to http://localhost/certsrv/ on AD box 4.) Select ?Request a certificate? 5.) Select ?Or, submit an advanced certificate request? 6.) Select ?Submit a certificate requested by a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file? 7.) Open the .CSR in note pad 8.) Copy all of the contents of the .CSR and paste them in ?Saved Request: Base-64-encoded request (CMC or PKCS #10 or PKCS #7):? test box 9.) Leave ?Certificate Template? and ?Additional Attributes? default 10.) Select ?Submit >? 11.) Select ?Download certificate? and ?Download certificate chain? 12.) Select ?Save? in the yellow pop-up bar at the bottom of the screen Actual results: IPA could read the cert, but it wasn't a root one Expected results: signed CA cert Additional info:
Important in 4.5 bugfixing phase.
Metadata Update from @pvoborni: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.5
Metadata Update from @mbasti: - Issue close_status updated to: None - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
Metadata Update from @pvoborni: - Issue priority set to: blocker (was: critical)
master: ce9eefe renew agent: respect CA renewal master setting 5abd9bb server upgrade: always fix certmonger tracking request 09a49ad cainstance: use correct profile for lightweight CA certificates 25aeeaf renew agent: allow reusing existing certs 0bf41e8 renew agent: always export CSR on IPA CA certificate renewal 21f4cbf renew agent: get rid of virtual profiles * b03ede8 ipa-cacert-manage: add --external-ca-type
ipa-4-5: 36fc44b renew agent: respect CA renewal master setting b55dd9c server upgrade: always fix certmonger tracking request 4a01114 cainstance: use correct profile for lightweight CA certificates 920d56a renew agent: allow reusing existing certs 25b0a9c renew agent: always export CSR on IPA CA certificate renewal bb95282 renew agent: get rid of virtual profiles * c56d12a ipa-cacert-manage: add --external-ca-type
Metadata Update from @dkupka: - Issue status updated to: Closed (was: Open)
Metadata Update from @dkupka: - Issue close_status updated to: fixed
Log in to comment on this ticket.