#6263 ipa-server-certinstall does not update all certificate stores and doesn't set proper trust permissions
Closed: Fixed None Opened 7 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1360813

Description of problem:

The tool ipa-server-certinstall can be used to install 3rd party certificates
for the IPA embedded httpd and ldap service.

The usage is outlined on this page (I already filed BZ #1360217 to get a proper
description into our IdM guide):

https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

Here it says:

"""
The certificate in mysite.crt must be signed by a CA known by the service you
are loading the certificate into. Or you must include the certificate chain
associated with the new certificate.
"""

I recently encountered two issues when a PKCS#12 file is imported which has a
new CA certificate chain included, which is not already known to IPA:

1) The certificate from the PKCS#12 file are imported into the NSS DB of the
service for which the certificate is for (httpd and/or ldap) and the trust flag
is properly set for the new service certificate, but trust flags for the CA
certificates which are also part of the PKCS#12 file are not set at all. A
manual change using certutil was required.

2) While the CA certificates from the PKCS#12 file are imported into the NSS DB
of the http and/or ldap service, they are not imported into the tomcat-pki NSS
DB. As a result, tomcat fails to start when the ldap certificate has been
replaces and when it's signed by a CA which is not known to IPA. I would expect
that ipa-server-certinstall also updates this NSS DB. A manual import of the CA
certificates fixed the issue.

I found an old ticket which talks about the same issue and which has been
closed as FIXED, but I can still see the issues I outlined above in latest
RHEL-7.2 ipa package:

https://fedorahosted.org/freeipa/ticket/3862


Version-Release number of selected component (if applicable):
ipa-server-4.2.0-15.el7_2.17

How reproducible:
Create a new CSR for IPA httpd and have it signed by a CA which is not known to
IPA. Create a PKCS#12 file with the new certificate/key and add the full CA
certificate chain to the PKCS#12 file. Then import the file using
ipa-server-certinstall.

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

master:

  • 0c4a913 Add cert checks in ipa-server-certinstall

ipa-4-4:

  • f32e683 Add cert checks in ipa-server-certinstall

Metadata Update from @pvoborni:
- Issue assigned to frenaud
- Issue set to the milestone: FreeIPA 4.4.3

6 years ago

Login to comment on this ticket.

Metadata