Saurabh Garg via FreeIPA-users wrote:
Hi Florence,
Thanks for all the help so far.
In the scenario where we need to change the current ca certificate with the one signed by
an external CA:
As per your suggestion we are running "ipa-cacert-manage install" command to
provide all the CA certs in chain, one at a time, starting from the rootCA as pasted
below:
[root@ldmserver01 certs]# ipa-cacert-manage install root.pem
Installing CA certificate, please wait
Not a valid CA certificate: missing subject key identifier extension (visit
http://www.freeipa.org/page/Troubleshooting for troubleshooting
guide)
The ipa-cacert-manage command failed.
[root@ldmserver01 certs]#
The command complains about missing subject key identifier extension in the external ca
root certificate.
Please advice, how can we make it work. We can't expect our CA team to fix this for
us as this external CA server and its ca-chain is being used by so many other services
already.
Sorry, it is a mandatory extension. Per the commit message for
https://pagure.io/freeipa/issue/6976 :
CA certificates MUST have the Subject Key Identifier extension to
facilitate certification path construction. Not having this extension
on the IPA CA certificate will cause failures in Dogtag during signing;
it tries to copy the CA's Subject Key Identifier to the new
certificate's Authority Key Identifier extension, which fails.
rob