Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1360813
Description of problem: The tool ipa-server-certinstall can be used to install 3rd party certificates for the IPA embedded httpd and ldap service. The usage is outlined on this page (I already filed BZ #1360217 to get a proper description into our IdM guide): https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP Here it says: """ The certificate in mysite.crt must be signed by a CA known by the service you are loading the certificate into. Or you must include the certificate chain associated with the new certificate. """ I recently encountered two issues when a PKCS#12 file is imported which has a new CA certificate chain included, which is not already known to IPA: 1) The certificate from the PKCS#12 file are imported into the NSS DB of the service for which the certificate is for (httpd and/or ldap) and the trust flag is properly set for the new service certificate, but trust flags for the CA certificates which are also part of the PKCS#12 file are not set at all. A manual change using certutil was required. 2) While the CA certificates from the PKCS#12 file are imported into the NSS DB of the http and/or ldap service, they are not imported into the tomcat-pki NSS DB. As a result, tomcat fails to start when the ldap certificate has been replaces and when it's signed by a CA which is not known to IPA. I would expect that ipa-server-certinstall also updates this NSS DB. A manual import of the CA certificates fixed the issue. I found an old ticket which talks about the same issue and which has been closed as FIXED, but I can still see the issues I outlined above in latest RHEL-7.2 ipa package: https://fedorahosted.org/freeipa/ticket/3862 Version-Release number of selected component (if applicable): ipa-server-4.2.0-15.el7_2.17 How reproducible: Create a new CSR for IPA httpd and have it signed by a CA which is not known to IPA. Create a PKCS#12 file with the new certificate/key and add the full CA certificate chain to the PKCS#12 file. Then import the file using ipa-server-certinstall. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
master:
ipa-4-4:
Metadata Update from @pvoborni: - Issue assigned to frenaud - Issue set to the milestone: FreeIPA 4.4.3
Log in to comment on this ticket.