freeipa

Clone
Source Code
GIT

#8124 Add option to ipa-cacert-manage to delete certificates
Closed: fixed 4 years ago by rcritten. Opened 4 years ago by yrro.

Closed: fixed
Reopen Issue

Issue

My company has more than one CA and I would like to get FreeIPA clients to trust all of them.

Some time ago, I ran ipa-cacert-manage install orgcert.crt to install one of these CA certificates into the directory. A subsequent run of ipa-certupdate resulted in much joy as the CA certificate was indeed written out to ipa-p11.kit and added to the system trust store.

Some time later, the CA's certificate neared expiry and a new certificate with the same Subject DN was issued. I duly ran ipa-cacert-manage install neworgcert.crt on this certificate. I expected that this would replace the original certificate in the directory, but instead it has added a second certificate with the same name:

# ipa-cacert-manage list
IPA.EXAMPLE.COM IPA CA
CN=RCAERE01-CA-2,DC=RCAERE-1,DC=LOCAL
CN=org-CERTROOTCA02-CA,DC=example,DC=com
CN=org-CERTROOTCA02-CA,DC=example,DC=com
CN=Certificate Authority,O=EXAMPLEUNIX

The directory contains a single entry, using multi-valued attributes to store both certificates owned by the CA:

$ ldapvi --out -Q -b cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com
dn: cn=CN\3Dorg-CERTROOTCA02-CA\2CDC\3Dexample\2CDC\3Dcom,cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.2
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.3
ipaKeyExtUsage: 1.3.6.1.5.5.7.3.4
cn: CN=org-CERTROOTCA02-CA,DC=example,DC=com
objectClass: ipaCertificate
objectClass: pkiCA
objectClass: ipaKeyPolicy
objectClass: top
ipaCertSubject: CN=org-CERTROOTCA02-CA,DC=example,DC=com
ipaPublicKey:: MII...
cACertificate;binary:: MII...
cACertificate;binary:: MII...
ipaKeyTrust: trusted
ipaCertIssuerSerial: CN=org-CERTROOTCA02-CA,DC=example,DC=com;123456789012345
ipaCertIssuerSerial: CN=org-CERTROOTCA02-CA,DC=example,DC=com;674937604067420

That is, the caCertificate and ipaCertIssuerSerial attributes are multi-valued.

Now, this does not seem to cause a problem with FreeIPA itself; however while trying to find a solution for #8106 it was suggested that this is not the intended behaviour (and my initial assumption that the old certificate would be replaced by the new one would have been correct).

Version/Release/Distribution

$ rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server
ipa-server-4.6.5-11.el7_7.3.x86_64
ipa-client-4.6.5-11.el7_7.3.x86_64
389-ds-base-1.3.8.4-22.el7_6.x86_64
pki-ca-10.5.9-10.el7_6.noarch
krb5-server-1.15.1-37.el7_6.x86_64

If the certificate should have been replaced then some part of FreeIPA needs to do that, and there needs to be some way of removing the duplicate entry after freeipa-server has been updated (manually editing LDAP entries is not fun...) :)

If the duplicate entry is intentional then ipa-certupdate needs to perform de-duplication when it writes out the trusted certificates on Debian for consumption by update-ca-certificates (pending confirmation from the maintainer as to whether this de-duplication should be done by update-ca-certificates itself, in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945274).

How do you define duplicate entry? Technically both certificate are distinct entries with different issuer, subject, and serial. If I understand you correct than you consider any certificate with same issuer/subject pair as distinct.

If we use only issuer+subject, then it may make roll-over of intermediate CA harder. These days chains are build with SKID / AKID and not with subject name / issuer name. It is possible to have two valid intermediate CAs with same issue and same subject but different SKID. Cross-signing uses a similar technique.

It might be better to refrain from automatic replacement and rather improve ipa-certupdate to allow easy removal of certificates.

How do you define duplicate entry? Technically both certificate are distinct entries with different issuer, subject, and serial. If I understand you correct than you consider any certificate with same issuer/subject pair as distinct

I mean two certificates with the same Subject DN. That's based on https://frasertweedale.github.io/blog-redhat/posts/2017-11-20-changing-ca-subject-dn-part-i.html which says,

The Subject DN uniquely identifies the CA. It is the CA. A CA can have multiple concurrent certificates, possibly with different keys and key types. But if the Subject DN is the same, they are just different certificates for a single CA. Corollary: if the Subject DN differs, it is a different CA even if the key is the same.

Since the two certificates have the same Subject DN, the symlinks created by openssl rehash /etc/ssl/certs will also clash.

These days chains are build with SKID / AKID and not with subject name / issuer name. It is possible to have two valid intermediate CAs with same issue and same subject but different SKID.

I don't see how OpenSSL can deal with this--it is only able to distinguish certificates based on (a hash of) the Subject DN.

It might be better to refrain from automatic replacement and rather improve ipa-certupdate to allow easy removal of certificates.

Yup, also it'd be nice if ipa-cacert-manage list gave me some way to distinguish between the two entries. It would be nice to see SKID, serial and validity dates. And display expired entries in a different colour. ;)
Edited 4 years ago by yrro

As Fraser correctly stated, a CA can have more than one certificate. Two certs with same subject is a perfectly valid use case. Two certs with same SKID are valid, too. Only the combination of (subject, issuer, serial) must be universally unique.

OpenSSL hashdir can handle different certs with same subject hash just fine. Otherwise it would be a bug in OpenSSL. Here is an example how OpenSSL rehash deals with Lets Encrypt cross-sign certs: 

$ openssl rehash -v /tmp/certs
Doing /tmp/certs
link isrgrootx1.pem -> 4042bcee.0
link lets-encrypt-x3-cross-signed.pem -> 4f06f81d.0
link letsencryptauthorityx3.pem -> 4f06f81d.1

The last two certs have same subject DN Subject: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 and same SKID A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 but are different certs. As you can see OpenSSL creates two symlink files for hash 4f06f81d.

Ah, what I didn't realise is that openssl rehash takes care of collisions by incrementing that number on the end of the names of the symlinks it creates!

So there's no actual problem with having multiple entries with the same Subject DN stored in the directory (save for ipa-cacert-manage not showing more info about them or letting them be removed, but that's a different RFE not a bug). So I'll close this one.

Metadata Update from @yrro:
- Issue close_status updated to: invalid
- Issue status updated to: Closed (was: Open)
4 years ago

Hold on, I think it is still a valid request to be able to remove a CA certificate from ldap.

I've been meaning to implement ipa-cacert-manage delete for a while. I can use this ticket, re-opening and updating title.

Metadata Update from @rcritten:
- Issue status updated to: Open (was: Closed)
4 years ago

Agree with the plan; we need an easy way to remove certs from the certstore.

Metadata Update from @rcritten:
- Issue assigned to rcritten
4 years ago

Note that I don't intend to allow removing discrete certificate values from an entry, just an entire entry.

So for example a self-signed IPA CA and the LE chain would look like:

# ipa-cacert-manage list
EXAMPLE.TEST IPA CA
CN=ISRG Root X1,O=Internet Security Research Group,C=US
CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
The ipa-cacert-manage command was successful

To remove the LE chain one would run:

# ipa-cacert-manage delete "CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US"
# ipa-cacert-manage delete "CN=ISRG Root X1,O=Internet Security Research Group,C=US"

To be left with:

# ipa-cacert-manage list
EXAMPLE.TEST IPA CA
The ipa-cacert-manage command was successful

@rcritten that seems fine to me. Can always delete the entry then add a particular certificate back, or we can enhance the command later to add remove-this-cert-only behaviour.

Please enumerate the entries, parse the CNs into a DN and compare DNs properly, to account for possible differences in DN encoding. Searching by CN won't cut it. (We/users have been bit by similar bugs before in certstore code).

This isn't searching by CN, it is more or less by subject. One can specify a nickname to be used when installing a cert. If no nickname is specified then the subject is used as the nickname.

The nickname is displayed in the list output and is the input for delete. apples-to-apples.

@rcritten yep, reviewing your PR now and I saw that that is the case, and it's OK with me. Inevitably someone will get confused about it somewhere down the line (like I just did ^_^). Perhaps the man page should elaborate that the nickname must be as it appears in the list output?

master:

  • acfb619 Add delete option to ipa-cacert-manage to remove CA certificates
  • 6cb4f4b ipa-certupdate removes all CA certs from db before adding new ones
  • 8e71605 Add tests for ipa-cacert-manage delete command

ipa-4-8:

  • 37f81cc Add delete option to ipa-cacert-manage to remove CA certificates
  • 7d81a34 ipa-certupdate removes all CA certs from db before adding new ones
  • 78827db Add tests for ipa-cacert-manage delete command

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
4 years ago

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1542737
3 years ago

Issue linked to Bugzilla: Bug 1542737

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1542737
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.