When using an externally-signed IPA CA and wishing to change the external root chaining. If you install a new external CA cert which has the same subject name, but a different public key. A new IPA CA CSR has been generated and has been signed by the new external CA. However, when you attempt to change the chaining ('ipa-cacert-manage renew --external-cert-file=<new IPA CA cert> --external-cert-file=<new root CA cert>'), an error is returned indicating a problem with subject key comparison -->
ipa: DEBUG: stderr=ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x540d368> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection context.ldap2_57069456 ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 117, in run rc = self.renew() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 165, in renew return self.renew_external_step_2(ca, cert) File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 282, in renew_external_step_2 EMPTY_TRUST_FLAGS) File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 367, in put_ca_cert_nss config_ipa, config_compat) File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 233, in put_ca_cert config_ipa=config_ipa, config_compat=config_compat) File "/usr/lib/python2.7/site-packages/ipalib/install/certstore.py", line 182, in update_ca_cert raise ValueError("subject public key info mismatch") ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The ipa-cacert-manage command failed, exception: ValueError: subject public key info mismatch ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: subject public key info mismatch ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: The ipa-cacert-manage command failed.
In certstore.py, the public key of the new cert is compared to same of the current cert stored in 389 -->
def update_ca_cert(ldap, base_dn, dercert, trusted=None, ext_key_usage=None, config_ipa=False, config_compat=False): """ Update existing entry for a CA certificate in the certificate store. """ subject, issuer_serial, public_key = _parse_cert(dercert) filter = ldap.make_filter({'ipaCertSubject': subject}) result, _truncated = ldap.find_entries( base_dn=DN(('cn', 'certificates'), ('cn', 'ipa'), ('cn', 'etc'), base_dn), filter=filter, attrs_list=['cn', 'ipaCertSubject', 'ipaCertIssuerSerial', 'ipaPublicKey', 'ipaKeyTrust', 'ipaKeyExtUsage', 'ipaConfigString', 'cACertificate;binary']) entry = result[0] dn = entry.dn for old_cert in entry['cACertificate;binary']: # Check if we are adding a new cert if old_cert == dercert: break else: # We are adding a new cert, validate it if entry.single_value['ipaCertSubject'].lower() != subject.lower(): raise ValueError("subject name mismatch") if entry.single_value['ipaPublicKey'] != public_key: raise ValueError("subject public key info mismatch") entry['ipaCertIssuerSerial'].append(issuer_serial) entry['cACertificate;binary'].append(dercert)
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1512322
Issue linked to bug 1512322
What would you suggest, not do the subject key comparison? The commit message for the code contains no reasoning for doing this.
@rcritten possibly. It would need to be comprehensively tested, to make sure that none of the other programs or libraries (e.g. NSS) experience issues in this scenario.
Some git archaeology will be needed to try to discern the original intent of this change but IIRC it was one of many included in a large patch set with no specific call-out.
Metadata Update from @rcritten: - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.6.4
Metadata Update from @pvoborni: - Issue priority set to: important (was: normal)
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)
According to https://www.freeipa.org/page/V4/CA_certificate_renewal each entry underneath cn=certificates,cn=ipa,cn=etc,SUFFIX "represents a set of certificates using a single subject name and public key" but no further rationale is given. Given that ipaCertsubject "must be unique in the store", it looks like you can't re-key a CA.
(This ended up being rather tautological, but I can't delete the comment...) :)
Login to comment on this ticket.