Me and Shanks were trying to configure IPA server installation with an external CA set-up. For testing purpose, we planned to use certutil — part of mozilla nss-tools (Network Security Services) package. IPA generates a CSR(certificate signing request) called ipa.csr when you try to install it w/ the option –external-ca . The plan is to sign ipa.csr with an external CA(let’s say SubCA) which is signed by another CA(RootCA). So that there is a certificate chain of trust involved. After a bit of trial and error, this how it worked out:
To auto-generate a CSR (located /root/ipa.csr) to be signed by an external CA, while configuring IPA server, run:
$ ipa-server-install --external-ca
For illustration purpose, let’s create a temporary NSS db
$ certutil -N -d /var/tmp/testdb
Create a (self-signed)Root CA
Now, create a (self-signed)Root CA, and list the contents of the NSS(Network Security Services) db
$ certutil -S -n "IPA ROOTCA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d .
$ certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
IPA ROOTCA certificate CTu,u,u
Note: Under the ‘Trust Attributes’, the ‘u’ attribute indicates that corresponding private key is also available in that database. Keys can be listed by running # certutil -K -d /path/to/nssdb
Setup Subordinate CA
Create a CSR for the Subordinate CA which will be signed by the Root CA created in the previous step
$ certutil -R -s "cn=SUB-Certificate Authority, O=LAB.TEST.REDHAT.COM" -p "9323" -o ipasubca.req -d . -a
Now, sign this CSR with Master CA and output the certificate to a file
$ certutil -C -m 2346 -i ipasubca.req -o ipasubcacert.crt -c "IPA ROOTCA certificate" -d . -a
And, add this certificate to the NSS db, and provide a nick name to it.
$ certutil -A -d . -i ipasubcacert.crt -t "CTu,Cu,Cu" -n "IPA SUBCA certificate"
Now, list the certificates. (Both certs are listed and available)
$ certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
IPA ROOTCA certificate CTu,u,u
IPA SUBCA certificate CTu,Cu,Cu
Sign certs using the SubCA
First, export the ROOTCA cert into b64 ascii cert. So that we can later create an ascii chain ca cert file
$ certutil -L -d . -n "IPA ROOTCA certificate" -a > iparootca.crt
Create a CA chain file by concatenating iparootca.crt and ipasubcacert.crt into one single file.
$ cat iparootca.crt ipasubcacert.crt > chainca.crt
Let’s sign the ipa.csr using the SubCA configured previously.
$ certutil -C -m 2346 -i ipa.csr -o ipa.crt -c "IPA SUBCA certificate" -d . -a
Now, to install IPA server successfully using the external chainca set-up, provide this command-line
$ ipa-server-install --external_cert_file=ipa.crt --external_ca_file=/tmp/chainca.crt
Voila! IPA server successfully configured. [I didn’t include the complete, long stdout of ipa-server-install to keep this brief.]
Also note: Instead of the ipa.csr, you can sign any other CSRs(user,server,etc..) generated using either certutil or any other tool(like openssl) using the above RootCA/Subca set-up.
Kashyap Chamarthy 
Pingback: Links 13/10/2011: Humble Synapse Bundle Shows Linux Generosity, Ubuntu 11.10 Out | Techrights
shouldn’t the titile be “Importing CA chain” to IPA server ?
That’s one way to put it (in IPA context) . But the ‘certutil’ operations(of creating a CA, subCA..) are generic enough to demonstrate creating a CA chain.
Where does ipaserver.crt come from?
I believe that ipaserver.crt should be ipa.crt
Yep, thanks Michael for spotting it. I just updated the post with that edit.