I found my error and got past this and completed the rest of the
steps up to setting up the new server. Is there an easy way to
test a certificate granted by their CA to see if it's now going to
be accepted on a system where IPA's root CA certificate is present
but their Root CA is not? I'd like to verify this before
installing the new IPA CA for them.
Huh, it all worked? I'm surprised it accepted the CN.
Well, you can verify the certificate chain with OpenSSL. And when
you configure the server software, be sure to include the Web Team
CA in the chain, otherwise there will be a missing link for clients
that only have the IPA CA in their trust store.
Thanks,
Fraser
--
Bret Wortman
bret.wortman(a)damascusgrp.com
On Tue, Feb 16, 2021, at 9:23 AM, Bret Wortman wrote:
> Because the full CN is actually "damascusgrp.com DG Web Team Root CA",
> does that complicate this or do I just need to find a way to add all
> that as a host?
>
>
> --
> Bret Wortman
> bret.wortman(a)damascusgrp.com
>
> On Tue, Feb 16, 2021, at 8:06 AM, Bret Wortman wrote:
> > I may well have messed this up, but here's what I've done:
> >
> > # ipa host-add --force
damascusgrp.com
> > ----------------------------
> > Added host "damascusgrp.com"
> > ----------------------------
> > Host name:
damascusgrp.com
> > Principal name: host/damascusgrp.com(a)DAMASCUSGRP.COM
> > Principal alias: host/damascusgrp.com(a)DAMASCUSGRP.COM
> > Password: False
> > Member of host-groups: allow_all_hosts
> > Indirect Member of netgroup: allow_all_hosts
> > Keytab: False
> > Managed by:
damascusgrp.com
> > # ipa certprofile-show caIPAserviceCert --out SubCA.cfg
> > ------------------------------------------------
> > Profile configuration stored in file "SubCA.cfg"
> > ------------------------------------------------
> > Profile ID: caIPAserviceCert
> > Profile description: Standard profile for network services
> > Store issued certificates: TRUE
> > # vim SubCA.cfg
> > :
> >
profileId=damascusgrp.com
> > :
> > # ipa certprofile-import 'damascusgrp.com' --desc "Web Team
CA" --file
> > SubCA.cfg --store=1
> > ipa: ERROR: invalid 'id': invalid Profile ID
> >
> >
> > --
> > Bret Wortman
> > bret.wortman(a)damascusgrp.com
> >
> > On Tue, Feb 16, 2021, at 7:40 AM, Bret Wortman wrote:
> > > Just to be clear, I'm going to follow the steps, but instead of
setting
> > > up sub.ipa.local, I'm going to instead use simply
"damascusgrp.com",
> > > yielding a principal named host/damascusgrp.com(a)DAMASCUSGRP.COM, right?
> > > And then proceed through the rest of the steps.
> > >
> > >
> > > --
> > > Bret Wortman
> > > bret.wortman(a)damascusgrp.com
> > >
> > > On Tue, Feb 16, 2021, at 7:05 AM, Bret Wortman wrote:
> > > > Okay, I'll give it a try. Thanks!
> > > >
> > > >
> > > > --
> > > > Bret Wortman
> > > > bret.wortman(a)damascusgrp.com
> > > >
> > > > On Tue, Feb 16, 2021, at 6:59 AM, Fraser Tweedale wrote:
> > > > > On Tue, Feb 16, 2021 at 05:53:31AM -0500, Bret Wortman wrote:
> > > > > > Fraser,
> > > > > >
> > > > > > It doesn't look like we fit the model. Our IPA CA's
cert is as
> > > > > > expected, but the other one is:
> > > > > >
> > > > > > $ openssl x509 -noout -in web-ca.crt -issuer issuer=
> > > > > > /C=US/ST=VA/L=Fairfax/O=DG Web
Team/OU=DG/CN=damascusgrp.com DG
> > > > > > Web Team Root CA
> > > > > >
> > > > > > Since I don't see a hostname in there anywhere (and in
fact,
> > > > > > further conversations with this team turned up the fact
that
> > > > > > they're just creating these by hand using openssl
commands rather
> > > > > > than running any sort of service at all), I'm hesitant
to just
> > > > > > barge ahead and try to make it work on my own...
> > > > >
> > > > > The CN (
damascusgrp.com) is a domain name. You can add a host
> > > > > object with that name to FreeIPA. I think the procedure
outlined in
> > > > > the blog post should work for you.
> > > > >
> > > > > Cheers,
> > > > > Fraser
> > > > >
> > > > > >
> > > > > > --
> > > > > > Bret Wortman
> > > > > > bret.wortman(a)damascusgrp.com
> > > > > >
> > > > > > On Mon, Feb 15, 2021, at 8:30 PM, Fraser Tweedale wrote:
> > > > > > > On Mon, Feb 15, 2021 at 10:10:59AM -0500, Bret Wortman
via FreeIPA-users wrote:
> > > > > > > > We had a developer team deploy their own CA and
then issue a slew
> > > > > > > > of certificates for users' workstations and
other servers, and now
> > > > > > > > they want us to deploy those certificates more
widely. I'd rather
> > > > > > > > find a way to bring their CA under ours so that
the root CA
> > > > > > > > certificate we already distribute will make
theirs "just work"
> > > > > > > > rather than having to distribute another set of
root CA
> > > > > > > > certificates.
> > > > > > > >
> > > > > > > > Is this possible, or would they have to start
over and build a
> > > > > > > > subordinate CA from the ground up to make it
work? If it's perhaps
> > > > > > > > possible, under what circumstances?
> > > > > > > >
> > > > > > > Hi Bret,
> > > > > > >
> > > > > > > It is possible, but there are restrictions about what
the sub-CAs
> > > > > > > subject DN can be. Have a read of this blog post:
> > > > > > >
https://frasertweedale.github.io/blog-redhat/posts/2018-08-21-ipa-subordi...
> > > > > > >
> > > > > > > If your developer team's CA certificate does not
fit those
> > > > > > > requirements, please share the details of the
certificate
> > > > > > > (especially Subject DN) and I'll see if I can find
a workaround.
> > > > > > >
> > > > > > > Cheers,
> > > > > > > Fraser
> > > > > > >
> > > > > > > >
> > > > > > > > Thanks!
> > > > > > > >
> > > > > > > > Bret
> > > > > > > > _______________________________________________
> > > > > > > > FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
> > > > > > > > To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> > > > > > > > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > > > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > > > > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > > > > > > Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >