Occasionally someone has tried in step-2 of external CA installation to install a certificate with the wrong public key. In that case, installation will fail with PKI ObjectNotFoundException because the imported cert has no corresponding private key. We should detect this condition and fail with helpful error message.
ObjectNotFoundException
@ftweedal Please provide exact error log which you see when cert with wrong public key is imported back. after you run ipa-server-install with --external-cert-file= option. or provide ipa-install-log.
Metadata Update from @rcritten: - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.6.4
@ftweedal How I tried to repro but cannot.
This is what i did: Created 2 CA certs and 2 keys. MyRootCA.key <--> MyRootCA.pem [CA] MyRootCA1.key <--> MyRootCA1.pem [CA1] Kept following fields identical on 2 CA certs: Issuer, Subject.
Signed ipa.csr from CA.
But passed Root CA1 cert: # ipa-server-install --external-cert-file=MyRootCA1.pem --external-cert-file=ipa.pem But command fails with ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR CA certificate chain in /root/externalCA/MyRootCA1.pem, /root/externalCA/ipa.pem is incomplete: missing certificate with subject 'E=test@red.com,CN=test.redcon,OU=IDM,O=Red Hat,L=Pune,ST=Maharastra,C=IN' ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
# ipa-server-install --external-cert-file=MyRootCA1.pem --external-cert-file=ipa.pem
Here also rather It should fail with stating incorrect Root CA Public Key(some sort). Because Issuer fields CN,OU,O of both CAs are exactly same only differs in Pvt Keys..
The way to trigger this condition would be:
A similar check should be performed for "renewal", i.e. ipa-cacert-manage renew, to make sure that we don't accept such a certificate in that scenario.
ipa-cacert-manage renew
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)
Login to comment on this ticket.