we're doing a freeipa install using our existing CA. During the install, a CSR is generated and must be signed by the CA to create a certificate. This certificate must have
X509v3 Basic Constraints: CA:TRUE
I have been researching for about an hour now and I'm at a loss of what to do. Typically, i sign CSR's as such
openssl x509 -req -in ipa.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ipa.pem
this works but CA:TRUE isn't there. i tried doing this:
openssl x509 -req -in ipa.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -extensions v3_ca -out ipa.pem
and it generated the same capabilities as the original.
I can see that the generated key pulls info from my openssl.cnf, but it's ignoring the extensions statement, which is below.
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
Does anyone have any ideas on what i need to do, or what additional information i can provide? thanks!
Sidenote: I have no gui or gui tools, this is all from the command line. The CSR is generated by the IPA software, i am not creating it manually.
here's the note from IPA:
The CA signing certificate generated for the Identity Management server must be a valid CA certificate. This requires either that the Basic Constraint be set to CA=true or that the Key Usage Extension be set on the signing certificate to allow it to sign certificates.
You can make openssl x509 read a specific config using the "-extfile" command.
I would suggest you make a new config, lets name it foo.cnf. Inside it put:
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
Now run your command with a small change:
openssl x509 -req -in ipa.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -extfile foo.cnf -out ipa.pem
You should now have a cert with CA:true.