#7352 external CA installation: check that public key matches private key
Opened 2 years ago by ftweedal. Modified a year ago

Request for enhancement

Occasionally someone has tried in step-2 of external CA installation to install
a certificate with the wrong public key. In that case, installation will fail with
PKI ObjectNotFoundException because the imported cert has no corresponding
private key. We should detect this condition and fail with helpful error message.


@ftweedal Please provide exact error log which you see when cert with wrong public key is imported back. after you run ipa-server-install with --external-cert-file= option.
or provide ipa-install-log.

Metadata Update from @rcritten:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.6.4

a year ago

@ftweedal How I tried to repro but cannot.

This is what i did:
Created 2 CA certs and 2 keys.
MyRootCA.key <--> MyRootCA.pem [CA]
MyRootCA1.key <--> MyRootCA1.pem [CA1]
Kept following fields identical on 2 CA certs:
Issuer, Subject.

Signed ipa.csr from CA.

But passed Root CA1 cert:
# ipa-server-install --external-cert-file=MyRootCA1.pem --external-cert-file=ipa.pem
But command fails with
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR CA certificate chain in /root/externalCA/MyRootCA1.pem, /root/externalCA/ipa.pem is incomplete: missing certificate with subject 'E=test@red.com,CN=test.redcon,OU=IDM,O=Red Hat,L=Pune,ST=Maharastra,C=IN'
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Here also rather It should fail with stating incorrect Root CA Public Key(some sort). Because Issuer fields CN,OU,O of both CAs are exactly same only differs in Pvt Keys..

The way to trigger this condition would be:

  1. Start IPA installation with external CA.
  2. When signing the CSR, don't sign the CSR given, but sign some other CSR with the SAME SUBJECT, but different public key.
  3. Continue installation, giving CA certificate and signed certificate which has IPA CA Subject DN but different public key.

A similar check should be performed for "renewal", i.e. ipa-cacert-manage renew, to make sure
that we don't accept such a certificate in that scenario.

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)

a year ago

Login to comment on this ticket.

Metadata