[Freeipa-devel] [freeipa] #3668: CA-less install fails when intermediate CA is used

Jan Cholasta jcholast at redhat.com
Fri Jun 7 12:57:55 UTC 2013 

On 7.6.2013 14:26, Martin Kosek wrote:
> On 06/07/2013 02:04 PM, Dmitri Pal wrote:
>> On 06/07/2013 03:47 AM, freeipa wrote:
>>> #3668: CA-less install fails when intermediate CA is used
>>> -------------------------------------+-------------------------------------
>>>                 Reporter:  jcholast   |             Owner:  jcholast
>>>                     Type:  defect     |            Status:  assigned
>>>                 Priority:  major      |         Milestone:  2013 Month 06 -
>>>                Component:             |  June (3.2.x bug fixing)
>>>    Installation                       |           Version:
>>>               Resolution:             |          Keywords:
>>>               Blocked By:             |          Blocking:
>>>            Tests Updated:  0          |       Affects DOC:  0
>>> Patch posted for review:  0          |  Red Hat Bugzilla:
>>>                   Source:             |       Effort Type:
>>>         Targeted feature:             |       Design link:
>>>            Design review:  0          |  Fedora test page:
>>>                   Chosen:             |   Needs UI design:
>>> -------------------------------------+-------------------------------------
>>> Release Notes:
>>>
>>>
>>> -------------------------------------+-------------------------------------
>>> Changes (by mkosek):
>>>
>>>   * rhbz:  0 =>
>>>
>>>
>>> Comment:
>>>
>>>   We not support intermediate CAs for external CA install or CA-less
>>>   install. Thus, this ticket cannot be easily solved extensive changes to
>>>   the installer. Related to #3274 (Pilsner milestone).
>>>
>>>   Moving back to triage to decide what to do about this ticket.
>>>
>> So you are saying that CA we chain to or get the certs from should
>> always be a root CA?
>> Why does it matter for our code whether the CA we deal with a Root CA or
>> not?
>
> No, this is a case when a CA you pass for FreeIPA is not a direct "parent" of
> HTTP/DIRSRV certificates, i.e. there is an intermediate CA between the CA
> passed to IPA and the actual certs.
>
> It should not mean that the root CA you pass to IPA must be necessarily a root
> CA of the entire chain. Jan, is this correct? Can you elaborate?

Yes, this is correct. The DS certificate must be directly signed by the 
CA trusted by IPA (specified by --root-ca-cert in ipa-server-install), 
there may be no intermediate CAs, because ldapsearch and friends and 
python-ldap don't like them.

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list