My company has more than one CA and I would like to get FreeIPA clients to trust all of them.
Some time ago, I ran ipa-cacert-manage install orgcert.crt to install one of these CA certificates into the directory. A subsequent run of ipa-certupdate resulted in much joy as the CA certificate was indeed written out to ipa-p11.kit and added to the system trust store.
ipa-cacert-manage install orgcert.crt
ipa-certupdate
ipa-p11.kit
Some time later, the CA's certificate neared expiry and a new certificate with the same Subject DN was issued. I duly ran ipa-cacert-manage install neworgcert.crt on this certificate. I expected that this would replace the original certificate in the directory, but instead it has added a second certificate with the same name:
ipa-cacert-manage install neworgcert.crt
# ipa-cacert-manage list IPA.EXAMPLE.COM IPA CA CN=RCAERE01-CA-2,DC=RCAERE-1,DC=LOCAL CN=org-CERTROOTCA02-CA,DC=example,DC=com CN=org-CERTROOTCA02-CA,DC=example,DC=com CN=Certificate Authority,O=EXAMPLEUNIX
The directory contains a single entry, using multi-valued attributes to store both certificates owned by the CA:
$ ldapvi --out -Q -b cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com dn: cn=CN\3Dorg-CERTROOTCA02-CA\2CDC\3Dexample\2CDC\3Dcom,cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example,dc=com ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.2 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.3 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.4 cn: CN=org-CERTROOTCA02-CA,DC=example,DC=com objectClass: ipaCertificate objectClass: pkiCA objectClass: ipaKeyPolicy objectClass: top ipaCertSubject: CN=org-CERTROOTCA02-CA,DC=example,DC=com ipaPublicKey:: MII... cACertificate;binary:: MII... cACertificate;binary:: MII... ipaKeyTrust: trusted ipaCertIssuerSerial: CN=org-CERTROOTCA02-CA,DC=example,DC=com;123456789012345 ipaCertIssuerSerial: CN=org-CERTROOTCA02-CA,DC=example,DC=com;674937604067420
That is, the caCertificate and ipaCertIssuerSerial attributes are multi-valued.
caCertificate
ipaCertIssuerSerial
Now, this does not seem to cause a problem with FreeIPA itself; however while trying to find a solution for #8106 it was suggested that this is not the intended behaviour (and my initial assumption that the old certificate would be replaced by the new one would have been correct).
$ rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server ipa-server-4.6.5-11.el7_7.3.x86_64 ipa-client-4.6.5-11.el7_7.3.x86_64 389-ds-base-1.3.8.4-22.el7_6.x86_64 pki-ca-10.5.9-10.el7_6.noarch krb5-server-1.15.1-37.el7_6.x86_64
If the certificate should have been replaced then some part of FreeIPA needs to do that, and there needs to be some way of removing the duplicate entry after freeipa-server has been updated (manually editing LDAP entries is not fun...) :)
freeipa-server
If the duplicate entry is intentional then ipa-certupdate needs to perform de-duplication when it writes out the trusted certificates on Debian for consumption by update-ca-certificates (pending confirmation from the maintainer as to whether this de-duplication should be done by update-ca-certificates itself, in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945274).
update-ca-certificates
How do you define duplicate entry? Technically both certificate are distinct entries with different issuer, subject, and serial. If I understand you correct than you consider any certificate with same issuer/subject pair as distinct.
If we use only issuer+subject, then it may make roll-over of intermediate CA harder. These days chains are build with SKID / AKID and not with subject name / issuer name. It is possible to have two valid intermediate CAs with same issue and same subject but different SKID. Cross-signing uses a similar technique.
It might be better to refrain from automatic replacement and rather improve ipa-certupdate to allow easy removal of certificates.
How do you define duplicate entry? Technically both certificate are distinct entries with different issuer, subject, and serial. If I understand you correct than you consider any certificate with same issuer/subject pair as distinct
I mean two certificates with the same Subject DN. That's based on https://frasertweedale.github.io/blog-redhat/posts/2017-11-20-changing-ca-subject-dn-part-i.html which says,
The Subject DN uniquely identifies the CA. It is the CA. A CA can have multiple concurrent certificates, possibly with different keys and key types. But if the Subject DN is the same, they are just different certificates for a single CA. Corollary: if the Subject DN differs, it is a different CA even if the key is the same.
Since the two certificates have the same Subject DN, the symlinks created by openssl rehash /etc/ssl/certs will also clash.
openssl rehash /etc/ssl/certs
These days chains are build with SKID / AKID and not with subject name / issuer name. It is possible to have two valid intermediate CAs with same issue and same subject but different SKID.
I don't see how OpenSSL can deal with this--it is only able to distinguish certificates based on (a hash of) the Subject DN.
Yup, also it'd be nice if ipa-cacert-manage list gave me some way to distinguish between the two entries. It would be nice to see SKID, serial and validity dates. And display expired entries in a different colour. ;)
ipa-cacert-manage list
As Fraser correctly stated, a CA can have more than one certificate. Two certs with same subject is a perfectly valid use case. Two certs with same SKID are valid, too. Only the combination of (subject, issuer, serial) must be universally unique.
OpenSSL hashdir can handle different certs with same subject hash just fine. Otherwise it would be a bug in OpenSSL. Here is an example how OpenSSL rehash deals with Lets Encrypt cross-sign certs:
$ openssl rehash -v /tmp/certs Doing /tmp/certs link isrgrootx1.pem -> 4042bcee.0 link lets-encrypt-x3-cross-signed.pem -> 4f06f81d.0 link letsencryptauthorityx3.pem -> 4f06f81d.1
The last two certs have same subject DN Subject: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 and same SKID A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 but are different certs. As you can see OpenSSL creates two symlink files for hash 4f06f81d.
Subject: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
4f06f81d
Ah, what I didn't realise is that openssl rehash takes care of collisions by incrementing that number on the end of the names of the symlinks it creates!
openssl rehash
So there's no actual problem with having multiple entries with the same Subject DN stored in the directory (save for ipa-cacert-manage not showing more info about them or letting them be removed, but that's a different RFE not a bug). So I'll close this one.
Metadata Update from @yrro: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Hold on, I think it is still a valid request to be able to remove a CA certificate from ldap.
I've been meaning to implement ipa-cacert-manage delete for a while. I can use this ticket, re-opening and updating title.
Metadata Update from @rcritten: - Issue status updated to: Open (was: Closed)
Agree with the plan; we need an easy way to remove certs from the certstore.
Metadata Update from @rcritten: - Issue assigned to rcritten
Note that I don't intend to allow removing discrete certificate values from an entry, just an entire entry.
So for example a self-signed IPA CA and the LE chain would look like:
# ipa-cacert-manage list EXAMPLE.TEST IPA CA CN=ISRG Root X1,O=Internet Security Research Group,C=US CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US The ipa-cacert-manage command was successful
To remove the LE chain one would run:
# ipa-cacert-manage delete "CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US" # ipa-cacert-manage delete "CN=ISRG Root X1,O=Internet Security Research Group,C=US"
To be left with:
# ipa-cacert-manage list EXAMPLE.TEST IPA CA The ipa-cacert-manage command was successful
@rcritten that seems fine to me. Can always delete the entry then add a particular certificate back, or we can enhance the command later to add remove-this-cert-only behaviour.
Please enumerate the entries, parse the CNs into a DN and compare DNs properly, to account for possible differences in DN encoding. Searching by CN won't cut it. (We/users have been bit by similar bugs before in certstore code).
This isn't searching by CN, it is more or less by subject. One can specify a nickname to be used when installing a cert. If no nickname is specified then the subject is used as the nickname.
The nickname is displayed in the list output and is the input for delete. apples-to-apples.
@rcritten yep, reviewing your PR now and I saw that that is the case, and it's OK with me. Inevitably someone will get confused about it somewhere down the line (like I just did ^_^). Perhaps the man page should elaborate that the nickname must be as it appears in the list output?
list
master:
ipa-4-8:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1542737
Issue linked to Bugzilla: Bug 1542737
Login to comment on this ticket.