#8103 CA-less to CA-ful fails if /etc/ipa/ca.crt does not have DS cert issuer first
Opened 10 months ago by ftweedal. Modified 10 months ago


When moving for CA-less to CA-ful installation, if the issuer of the DS service certificate
is not the first certificate in /etc/ipa/ca.crt, the wrong certificate will be put in the Dogtag
NSSDB. Dogtag will be unable to communicate with the DS and ipa-ca-install will fail.

Steps to Reproduce


Actual behavior

(what happens)

Expected behavior

(what do you expect to happen)



Additional info:

ipaca_default.ini contains directives:

pki_ds_secure_connection_ca_nickname=Directory Server CA certificate

In dogtaginstance.py:PKIIniLoader.__init__, ipa_ca_pem_file is hardcoded:


The installer should inspect the DS service certificate, find the issuer certificate,
write it to a temporary file and set ipa_ca_pem_file to that file, so that the correct
certificate gets installed to the Dogtag NSSDB.

Isn't this effectively a workaround dogtag depending on the ordering of the CA chain?

I think Dogtag's behaviour is OK - after all you only need one trust anchor to talk to DS. So I'd rather modify IPA to supply the one certificate that's actually needed.

Login to comment on this ticket.