FreeIPA Troubleshooting CA-less install

Troubleshoot: Only Subordinate CA gets installed

Aug 14, 2025

Thursday 14th August 2025

Only Subordinate CA gets installed

When I verified that correct Root CA had been added to the CA store:

Fedora:

less /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

For some reason, only the subordinate CA can be found in there:

# Bastuklubben Subordinate CA01
-----BEGIN CERTIFICATE-----
MIICxzC.........
-----END CERTIFICATE-----

The Root CA only gets stored inside /etc/ipa/ca.crt so you can manually install it later. Although it would be better if the Root CA got installed instead. I’m not sure why this happens.

Ubuntu/Debian:

The same thing, only the subordinate CA gets added in the truststore. The file gets this very long name based on the DN:

$ ls -l /usr/local/share/ca-certificates/ipa-ca/
total 4
-rw-r--r-- 1 root root 1359 Aug 13 17:45 'CN=Bastuklubben Subordinate CA01,O=Bastuklubben,C=NO 38622714443638986829849702124548223448038983047.crt'

$ ls /etc/ssl/certs | grep Bastu
CN=Bastuklubben_Subordinate_CA01_O=Bastuklubben_C=NO_38622714443638986829849702124548223448038983047.pem

The Root Cause:

I noticed some warning message when i tried to manually add the root ca:

localadmin@testpc:~$ sudo cp /etc/ipa/ca.crt /usr/local/share/ca-certificates/SAUNA-ROOT-CA.crt
localadmin@testpc:~$ sudo update-ca-certificates 
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping SAUNA-ROOT-CA.pem,it does not contain exactly one certificate or CRL
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

When inspecting the ca.crt file, I noticed that two certificates was included in the file:

$ cat /etc/ipa/ca.crt 
-----BEGIN CERTIFICATE-----
MIIBzTCCAXKgAwIBAgIUQsxzkXVCpO1+O7Hu/h5w4bWpKscwCgYIKoZIzj0EAwQw
QzELMAkGA1UEBhMCTk8xFTATBgNVBAoMDEJhc3R1a2x1YmJlbjEdMBsGA1UEAwwU
QmFzdHVrbHViYmVuIFJvb3QgQ0EwIBcNMjUwODA1MTg0NzEyWhgPMjA1NTA3Mjkx
ODQ3MTFaMEMxCzAJBgNVBAYTAk5PMRUwEwYDVQQKDAxCYXN0dWtsdWJiZW4xHTAb
BgNVBAMMFEJhc3R1a2x1YmJlbiBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0D
AQcDQgAETh8+1lyRSF6LRV91eWqql2k9tmF2lbABeFtfTDZeQK/Qu87RZQBo0T9w
5wMpQmup7fEmFm7/nCgehkVRAVBrbaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQUuFHD8vDNBvsiyNL8/dGpTvnJxOMwDgYDVR0PAQH/BAQDAgGGMAoGCCqG
SM49BAMEA0kAMEYCIQCzuDFCiwtcMpWxf4G+//7j06B/oS0FCXHmDSBK48eBwQIh
AJk+Gn/ZzRU6b5HhFqY8wSk7rDrzqvqC3XVUl7O9Lq+Q
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICxzCCAmygAwIBAgIUBsPnBJrULCfjMw775cwMFI4XRYcwCgYIKoZIzj0EAwQw
QzELMAkGA1UEBhMCTk8xFTATBgNVBAoMDEJhc3R1a2x1YmJlbjEdMBsGA1UEAwwU
QmFzdHVrbHViYmVuIFJvb3QgQ0EwHhcNMjUwODA1MTkyMDA1WhcNNDAwODAxMTky
MDA0WjBMMQswCQYDVQQGEwJOTzEVMBMGA1UECgwMQmFzdHVrbHViYmVuMSYwJAYD
VQQDDB1CYXN0dWtsdWJiZW4gU3Vib3JkaW5hdGUgQ0EwMTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABBF/RDees0mhJGlKGbX0y5xdOEMG0UuBnSX2NeBl3A4wJMGq
El9/pW2JaHrJIUpvysRUp3SEY/16Y+IODIuOta2jggEzMIIBLzASBgNVHRMBAf8E
CDAGAQH/AgEAMB8GA1UdIwQYMBaAFLhRw/LwzQb7IsjS/P3RqU75ycTjMIGBBggr
BgEFBQcBAQR1MHMwQQYIKwYBBQUHMAKGNWh0dHA6Ly9jYS5iYXN0dWtsdWJiZW4u
b25saW5lL2NlcnRzL3NhdW5hLXJvb3QtY2EuY3J0MC4GCCsGAQUFBzABhiJodHRw
Oi8vY2EuYmFzdHVrbHViYmVuLm9ubGluZS9vY3NwMEUGA1UdHwQ+MDwwOqA4oDaG
NGh0dHA6Ly9jYS5iYXN0dWtsdWJiZW4ub25saW5lL2NybHMvc2F1bmEtcm9vdC1j
YS5jcmwwHQYDVR0OBBYEFERrCQoZLf09t8XoC7b8TW/6OvPLMA4GA1UdDwEB/wQE
AwIBhjAKBggqhkjOPQQDBANJADBGAiEA3DvPKSws759fdlNYws9Mi4L9vtW/iinE
ARavVRvuI1cCIQDOdaTi/dwkPLQiPEN19WvlLNyZiYJCnUQqErvJPtiUwA==
-----END CERTIFICATE-----

Even though this OpenSSL command only displays the root:

$ openssl x509 -in /etc/ipa/ca.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            42:cc:73:91:75:42:a4:ed:7e:3b:b1:ee:fe:1e:70:e1:b5:a9:2a:c7
        Signature Algorithm: ecdsa-with-SHA512
        Issuer: C=NO, O=Bastuklubben, CN=Bastuklubben Root CA
        Validity
            Not Before: Aug  5 18:47:12 2025 GMT
            Not After : Jul 29 18:47:11 2055 GMT
        Subject: C=NO, O=Bastuklubben, CN=Bastuklubben Root CA
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:4e:1f:3e:d6:5c:91:48:5e:8b:45:5f:75:79:6a:
                    aa:97:69:3d:b6:61:76:95:b0:01:78:5b:5f:4c:36:
                    5e:40:af:d0:bb:ce:d1:65:00:68:d1:3f:70:e7:03:
                    29:42:6b:a9:ed:f1:26:16:6e:ff:9c:28:1e:86:45:
                    51:01:50:6b:6d
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                B8:51:C3:F2:F0:CD:06:FB:22:C8:D2:FC:FD:D1:A9:4E:F9:C9:C4:E3
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: ecdsa-with-SHA512
    Signature Value:
        30:46:02:21:00:b3:b8:31:42:8b:0b:5c:32:95:b1:7f:81:be:
        ff:fe:e3:d3:a0:7f:a1:2d:05:09:71:e6:0d:20:4a:e3:c7:81:
        c1:02:21:00:99:3e:1a:7f:d9:cd:15:3a:6f:91:e1:16:a6:3c:
        c1:29:3b:ac:3a:f3:aa:fa:82:dd:75:54:97:b3:bd:2e:af:90

The same output is witnessed on the IPA server itself. I don’t know why both certificates are included in the file but it must have happened during installation, even though the —root-ca-file flag was pointing to a file only containing the root CA. When inspecting this LDAP attribute, I found out that the server is publishing the subordinate CA:

[root@ipa /]# ldapsearch -x cn=CACert
# extended LDIF
#
# LDAPv3
# base <dc=int,dc=bastuklubben,dc=online> (default) with scope subtree
# filter: cn=CACert
# requesting: ALL
#

# CAcert, ipa, etc, int.bastuklubben.online
dn: cn=CAcert,cn=ipa,cn=etc,dc=int,dc=bastuklubben,dc=online
objectClass: nsContainer
objectClass: pkiCA
objectClass: top
cn: CAcert
cACertificate;binary:: MIICxzCCAmygAwIBAgIUBsPnBJrULCfjMw775cwMFI4XRYcwCgYIKoZ
Izj0EAwQwQzELMAkGA1UEBhMCTk8xFTATBgNVBAoMDEJhc3R1a2x1YmJlbjEdMBsGA1UEAwwUQmFzdHVrbHViYmVuIFJvb3QgQ0EwHhcNMjUwODA1MTkyMDA1WhcNNDAwODAxMTkyMDA0WjBMMQswCQYDVQQGEwJOTzEVMBMGA1UECgwMQmFzdHVrbHViYmVuMSYwJAYDVQQDDB1CYXN0dWtsdWJiZW4gU3Vib3JkaW5hdGUgQ0EwMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBFRDees0mhJGlKGbX0y5xdOEMG0UuBnSX2NeBl3A4wJMGqEl9pW2JaHrJIUpvysRUp3SEY/16Y+IODIuOta2jggEzMIIBLzASBgNSUBORDINATECAGA1UdIwQYMBaAFLhRwLwzQb7IsjSP3RqU75ycTjMIGBBggrBgEFBQcBAQR1MHMwQQYIKwYBBQUHMAKGNWh0dHA6Ly9jYS5iYXN0dWtsdWJiZW4ub25saW5lL2NlcnRzL3NhdW5hLXJvb3QtY2EuY3J0MC4GCCsGAQUFBzABhiJodHRwOi8vY2EuYmFzdHVrbHViYmVuLm9ubGluZS9vY3NwMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9jYS5iYXN0dWtsdWJiZW4ub25saW5lL2NybHMvc2F1bmEtcm9vdC1jYS5jcmwwHQYDVR0OBBYEFERrCQoZLf09t8XoC7b8TW/6OvPLMA4GA1UdDwEBwQEAwIBhjAKBggqhkjOPQQDBANJADBGAiEA3DvPKSws759fdlNYws9Mi4L9vtWiinEARavVRvuI1cCIQDOdaTidwkPLQiPEN19WvlLNyZiYJCnUQqErvJPtiUwA==

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

According to the documentation:

The PEM file given by —root-ca-file must contain exactly one certificate. This cert will be trusted as a root CA on the IPA server and all clients. Both server certs must be signed by this CA (possibly via a trust chain). It will be available in /etc/ipa/ca.crt and in the cACertificate attribute of cn=CACert,cn=ipa,cn=etc,$SUFFIX in LDAP, just like the IPA CA cert in Dogtag-based installations.

I tried to edit the /etc/ipa/ca.crt file on the server to only include one certificate:

vi etc/ipa/ca.crt
-----------------------------------------------------------------

-----BEGIN CERTIFICATE-----
MIIBzTCCAXKgAwIBAgIUQsxzkXVCpO1+O7Hu/h5w4bWpKscwCgYIKoZIzj0EAwQw
QzELMAkGA1UEBhMCTk8xFTATBgNVBAoMDEJhc3R1a2x1YmJlbjEdMBsGA1UEAwwU
QmFzdHVrbHViYmVuIFJvb3QgQ0EwIBcNMjUwODA1MTg0NzEyWhgPMjA1NTA3Mjkx
ODQ3MTFaMEMxCzAJBgNVBAYTAk5PMRUwEwYDVQQKDAxCYXN0dWtsdWJiZW4xHTAb
BgNVBAMMFEJhc3R1a2x1YmJlbiBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0D
AQcDQgAETh8+1lyRSF6LRV91eWqql2k9tmF2lbABeFtfTDZeQK/Qu87RZQBo0T9w
5wMpQmup7fEmFm7/nCgehkVRAVBrbaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQUuFHD8vDNBvsiyNL8/dGpTvnJxOMwDgYDVR0PAQH/BAQDAgGGMAoGCCqG
SM49BAMEA0kAMEYCIQCzuDFCiwtcMpWxf4G+//7j06B/oS0FCXHmDSBK48eBwQIh
AJk+Gn/ZzRU6b5HhFqY8wSk7rDrzqvqC3XVUl7O9Lq+Q
-----END CERTIFICATE-----

But after running the ipa-certupdate command, the file reverts back to include the intermediate:

[root@ipa /]# ipa-certupdate
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
[root@ipa /]# cat /etc/ipa/ca.crt 
-----BEGIN CERTIFICATE-----
MIIBzTCCAXKgAwIBAgIUQsxzkXVCpO1+O7Hu/h5w4bWpKscwCgYIKoZIzj0EAwQw
QzELMAkGA1UEBhMCTk8xFTATBgNVBAoMDEJhc3R1a2x1YmJlbjEdMBsGA1UEAwwU
QmFzdHVrbHViYmVuIFJvb3QgQ0EwIBcNMjUwODA1MTg0NzEyWhgPMjA1NTA3Mjkx
ODQ3MTFaMEMxCzAJBgNVBAYTAk5PMRUwEwYDVQQKDAxCYXN0dWtsdWJiZW4xHTAb
BgNVBAMMFEJhc3R1a2x1YmJlbiBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0D
AQcDQgAETh8+1lyRSF6LRV91eWqql2k9tmF2lbABeFtfTDZeQK/Qu87RZQBo0T9w
5wMpQmup7fEmFm7/nCgehkVRAVBrbaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQUuFHD8vDNBvsiyNL8/dGpTvnJxOMwDgYDVR0PAQH/BAQDAgGGMAoGCCqG
SM49BAMEA0kAMEYCIQCzuDFCiwtcMpWxf4G+//7j06B/oS0FCXHmDSBK48eBwQIh
AJk+Gn/ZzRU6b5HhFqY8wSk7rDrzqvqC3XVUl7O9Lq+Q
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICxzCCAmygAwIBAgIUBsPnBJrULCfjMw775cwMFI4XRYcwCgYIKoZIzj0EAwQw
QzELMAkGA1UEBhMCTk8xFTATBgNVBAoMDEJhc3R1a2x1YmJlbjEdMBsGA1UEAwwU
QmFzdHVrbHViYmVuIFJvb3QgQ0EwHhcNMjUwODA1MTkyMDA1WhcNNDAwODAxMTky
MDA0WjBMMQswCQYDVQQGEwJOTzEVMBMGA1UECgwMQmFzdHVrbHViYmVuMSYwJAYD
VQQDDB1CYXN0dWtsdWJiZW4gU3Vib3JkaW5hdGUgQ0EwMTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABBF/RDees0mhJGlKGbX0y5xdOEMG0UuBnSX2NeBl3A4wJMGq
El9/pW2JaHrJIUpvysRUp3SEY/16Y+IODIuOta2jggEzMIIBLzASBgNVHRMBAf8E
CDAGAQH/AgEAMB8GA1UdIwQYMBaAFLhRw/LwzQb7IsjS/P3RqU75ycTjMIGBBggr
BgEFBQcBAQR1MHMwQQYIKwYBBQUHMAKGNWh0dHA6Ly9jYS5iYXN0dWtsdWJiZW4u
b25saW5lL2NlcnRzL3NhdW5hLXJvb3QtY2EuY3J0MC4GCCsGAQUFBzABhiJodHRw
Oi8vY2EuYmFzdHVrbHViYmVuLm9ubGluZS9vY3NwMEUGA1UdHwQ+MDwwOqA4oDaG
NGh0dHA6Ly9jYS5iYXN0dWtsdWJiZW4ub25saW5lL2NybHMvc2F1bmEtcm9vdC1j
YS5jcmwwHQYDVR0OBBYEFERrCQoZLf09t8XoC7b8TW/6OvPLMA4GA1UdDwEB/wQE
AwIBhjAKBggqhkjOPQQDBANJADBGAiEA3DvPKSws759fdlNYws9Mi4L9vtW/iinE
ARavVRvuI1cCIQDOdaTi/dwkPLQiPEN19WvlLNyZiYJCnUQqErvJPtiUwA==
-----END CERTIFICATE-----

As a last resort, I reinstalled the entire server to make absolutely sure that I haven’t messed up the configuration previously.

First i wiped the container:

$ podman compose down -v

Then I deleted the mountpoint for the certificates and recreated it, to get rid of any metadata that may have been stored in there from previous testing:

$ sudo rm -r certs/
$ mkdir certs/
$ mv SAUNA-ROOT-CA.pem certs/
$ mv ipa.int.bastuklubben.online.p12.p12 certs/
$ cat certs/SAUNA-ROOT-CA.pem 
Subject: CN=Bastuklubben Root CA,O=Bastuklubben,C=NO
Issuer: CN=Bastuklubben Root CA,O=Bastuklubben,C=NO
-----BEGIN CERTIFICATE-----
MIIBzTCCAXKgAwIBAgIUQsxzkXVCpO1+O7Hu/h5w4bWpKscwCgYIKoZIzj0EAwQw
QzELMAkGA1UEBhMCTk8xFTATBgNVBAoMDEJhc3R1a2x1YmJlbjEdMBsGA1UEAwwU
QmFzdHVrbHViYmVuIFJvb3QgQ0EwIBcNMjUwODA1MTg0NzEyWhgPMjA1NTA3Mjkx
ODQ3MTFaMEMxCzAJBgNVBAYTAk5PMRUwEwYDVQQKDAxCYXN0dWtsdWJiZW4xHTAb
BgNVBAMMFEJhc3R1a2x1YmJlbiBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0D
AQcDQgAETh8+1lyRSF6LRV91eWqql2k9tmF2lbABeFtfTDZeQK/Qu87RZQBo0T9w
5wMpQmup7fEmFm7/nCgehkVRAVBrbaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQUuFHD8vDNBvsiyNL8/dGpTvnJxOMwDgYDVR0PAQH/BAQDAgGGMAoGCCqG
SM49BAMEA0kAMEYCIQCzuDFCiwtcMpWxf4G+//7j06B/oS0FCXHmDSBK48eBwQIh
AJk+Gn/ZzRU6b5HhFqY8wSk7rDrzqvqC3XVUl7O9Lq+Q
-----END CERTIFICATE-----

Then I re-installed it and verified the contents of /etc/ipa/ca.crt:

[root@ipa /]# cat /etc/ipa/ca.crt 
-----BEGIN CERTIFICATE-----
MIIBzTCCAXKgAwIBAgIUQsxzkXVCpO1+O7Hu/h5w4bWpKscwCgYIKoZIzj0EAwQw
QzELMAkGA1UEBhMCTk8xFTATBgNVBAoMDEJhc3R1a2x1YmJlbjEdMBsGA1UEAwwU
QmFzdHVrbHViYmVuIFJvb3QgQ0EwIBcNMjUwODA1MTg0NzEyWhgPMjA1NTA3Mjkx
ODQ3MTFaMEMxCzAJBgNVBAYTAk5PMRUwEwYDVQQKDAxCYXN0dWtsdWJiZW4xHTAb
BgNVBAMMFEJhc3R1a2x1YmJlbiBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0D
AQcDQgAETh8+1lyRSF6LRV91eWqql2k9tmF2lbABeFtfTDZeQK/Qu87RZQBo0T9w
5wMpQmup7fEmFm7/nCgehkVRAVBrbaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQUuFHD8vDNBvsiyNL8/dGpTvnJxOMwDgYDVR0PAQH/BAQDAgGGMAoGCCqG
SM49BAMEA0kAMEYCIQCzuDFCiwtcMpWxf4G+//7j06B/oS0FCXHmDSBK48eBwQIh
AJk+Gn/ZzRU6b5HhFqY8wSk7rDrzqvqC3XVUl7O9Lq+Q
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICxzCCAmygAwIBAgIUBsPnBJrULCfjMw775cwMFI4XRYcwCgYIKoZIzj0EAwQw
QzELMAkGA1UEBhMCTk8xFTATBgNVBAoMDEJhc3R1a2x1YmJlbjEdMBsGA1UEAwwU
QmFzdHVrbHViYmVuIFJvb3QgQ0EwHhcNMjUwODA1MTkyMDA1WhcNNDAwODAxMTky
MDA0WjBMMQswCQYDVQQGEwJOTzEVMBMGA1UECgwMQmFzdHVrbHViYmVuMSYwJAYD
VQQDDB1CYXN0dWtsdWJiZW4gU3Vib3JkaW5hdGUgQ0EwMTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABBF/RDees0mhJGlKGbX0y5xdOEMG0UuBnSX2NeBl3A4wJMGq
El9/pW2JaHrJIUpvysRUp3SEY/16Y+IODIuOta2jggEzMIIBLzASBgNVHRMBAf8E
CDAGAQH/AgEAMB8GA1UdIwQYMBaAFLhRw/LwzQb7IsjS/P3RqU75ycTjMIGBBggr
BgEFBQcBAQR1MHMwQQYIKwYBBQUHMAKGNWh0dHA6Ly9jYS5iYXN0dWtsdWJiZW4u
b25saW5lL2NlcnRzL3NhdW5hLXJvb3QtY2EuY3J0MC4GCCsGAQUFBzABhiJodHRw
Oi8vY2EuYmFzdHVrbHViYmVuLm9ubGluZS9vY3NwMEUGA1UdHwQ+MDwwOqA4oDaG
NGh0dHA6Ly9jYS5iYXN0dWtsdWJiZW4ub25saW5lL2NybHMvc2F1bmEtcm9vdC1j
YS5jcmwwHQYDVR0OBBYEFERrCQoZLf09t8XoC7b8TW/6OvPLMA4GA1UdDwEB/wQE
AwIBhjAKBggqhkjOPQQDBANJADBGAiEA3DvPKSws759fdlNYws9Mi4L9vtW/iinE
ARavVRvuI1cCIQDOdaTi/dwkPLQiPEN19WvlLNyZiYJCnUQqErvJPtiUwA==
-----END CERTIFICATE-----

And now I give up. This is not according to the documentation so I assume it must be a bug.

A possible workaround is to issue the DIRSRV and HTTP certificates directly from the root instead.

Open Source Is Fun

Discussion about this post