Configuring Certificate Chaining using mozilla nss(network security services)

Me and Shanks were trying to configure IPA server installation with an external CA set-up. For testing purpose, we planned to use certutil — part of mozilla nss-tools (Network Security Services) package. IPA generates a CSR(certificate signing request) called ipa.csr when you try to install it w/ the option –external-ca . The plan is to sign ipa.csr with an external CA(let’s say SubCA) which is signed by another CA(RootCA). So that there is a certificate chain of trust involved. After a bit of trial and error, this how it worked out:

To auto-generate a CSR (located /root/ipa.csr) to be signed by an external CA, while configuring IPA server, run:

$ ipa-server-install --external-ca

For illustration purpose, let’s create a temporary NSS db

$ certutil -N -d /var/tmp/testdb

Create a (self-signed)Root CA
Now, create a (self-signed)Root CA, and list the contents of the NSS(Network Security Services) db

$ certutil -S -n "IPA ROOTCA certificate" -s "cn=CAcert" -x -t "CT,," -m 1000 -v 120 -d .

$ certutil -L -d .

Certificate Nickname                                         Trust Attributes

IPA ROOTCA certificate                                           CTu,u,u

Note: Under the ‘Trust Attributes’, the ‘u’ attribute indicates that corresponding private key is also available in that database. Keys can be listed by running # certutil -K -d /path/to/nssdb

Setup Subordinate CA
Create a CSR for the Subordinate CA which will be signed by the Root CA created in the previous step

$ certutil -R -s "cn=SUB-Certificate Authority, O=LAB.TEST.REDHAT.COM" -p "9323" -o ipasubca.req -d . -a

Now, sign this CSR with Master CA and output the certificate to a file

$ certutil -C -m 2346 -i ipasubca.req -o ipasubcacert.crt -c "IPA ROOTCA certificate" -d . -a

And, add this certificate to the NSS db, and provide a nick name to it.

$ certutil -A -d . -i ipasubcacert.crt -t "CTu,Cu,Cu" -n "IPA SUBCA certificate"

Now, list the certificates. (Both certs are listed and available)

$ certutil -L -d .

Certificate Nickname                                         Trust Attributes

IPA ROOTCA certificate                                       CTu,u,u
IPA SUBCA certificate                                        CTu,Cu,Cu

Sign certs using the SubCA
First, export the ROOTCA cert into b64 ascii cert. So that we can later create an ascii chain ca cert file

$ certutil -L -d . -n "IPA ROOTCA certificate" -a > iparootca.crt

Create a CA chain file by concatenating iparootca.crt and ipasubcacert.crt into one single file.

$ cat iparootca.crt ipasubcacert.crt > chainca.crt

Let’s sign the ipa.csr using the SubCA configured previously.

$ certutil -C -m 2346 -i ipa.csr -o ipa.crt -c "IPA SUBCA certificate" -d . -a

Now, to install IPA server successfully using the external chainca set-up, provide this command-line

$ ipa-server-install --external_cert_file=ipa.crt --external_ca_file=/tmp/chainca.crt

Voila! IPA server successfully configured. [I didn’t include the complete, long stdout of ipa-server-install to keep this brief.]

Also note: Instead of the ipa.csr, you can sign any other CSRs(user,server,etc..) generated using either certutil or any other tool(like openssl) using the above RootCA/Subca set-up.



Filed under Uncategorized

6 responses to “Configuring Certificate Chaining using mozilla nss(network security services)

  1. Pingback: Links 13/10/2011: Humble Synapse Bundle Shows Linux Generosity, Ubuntu 11.10 Out | Techrights

  2. shouldn’t the titile be “Importing CA chain” to IPA server ?

  3. Michael Gregg

    Where does ipaserver.crt come from?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s