Hi, first i would like to thank you all for your great work on FreeIPA! I'm having problem with how FreeIPA (installed with external CA) is creating CA chain in wrong order (if I'm not wrong) according to RFC 5280 section 6.1. [1]. When I try to use /etc/ipa/ca.crt in 3th party web app the app wont start until i fix the chain order.
So my questing is how to fix this wrong chain order gerenrated from ipa- certupdate. PS: I created test instance and made self sign CA and then intermediated CAs to show how will FreeIPA construct the chain. And for this chain: ROOTCA <- INTERCA-B <- INTERCA-C <- INTERCA-D <- INTERCA-E <- INTERCA-IPA FreeIPA ipa-certupdate create this chain: 0: subject=CN = INTERCA-B issuer=CN = ROOTCA 1: subject=CN = INTERCA-C issuer=CN = INTERCA-B 2: subject=CN = INTERCA-D issuer=CN = INTERCA-C 3: subject=CN = INTERCA-E issuer=CN = INTERCA-D 4: subject=CN = ROOTCA issuer=CN = ROOTCA 5: subject=CN = INTERCA-IPA issuer=CN = INTERCA-E Right order should be: 0: subject=CN = INTERCA-IPA issuer=CN = INTERCA-E 1: subject=CN = INTERCA-E issuer=CN = INTERCA-D 2: subject=CN = INTERCA-D issuer=CN = INTERCA-C 3: subject=CN = INTERCA-C issuer=CN = INTERCA-B 4: subject=CN = INTERCA-B issuer=CN = ROOTCA 5: subject=CN = ROOTCA issuer=CN = ROOTCA Is there anything what I can do to fix this situation. Right now I'm handling this situation with ipa-getcert request --after-command. [1] - https://datatracker.ietf.org/doc/html/rfc5280#section-6.1 -- [email protected]
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
