How to sign a FreeIPA CA certificate #1108

zamantech · 2022-10-15T13:54:38Z

zamantech
Oct 15, 2022

Hello,
when try to sign csr cert i get this error

error decoding ipa.csr: contains more than one PEM encoded block

i try this command

step ca sign  ipa.csr ipa.crt

what i try?
Use_a_Different_CA_to_sign_the_IPA_CA_certificate

more info:

# step --version
Smallstep CLI/0.21.0 (linux/amd64)
Release Date: 2022-07-06T22:23:54Z

# cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

The Cert:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDrDCCAhQCAQAwNTETMBEGA1UEChMKVFJVU1QuVEVTVDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUg
QXV0aG9yaXR5MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxli8F9szA3XiDQtv9Qwb
yLzccyf8Dh2A0GSdi1FM2yJLO/XrvdIxcqt1y7YDLQmHFa7A/HVNj+wzhlQIBPiZSiOyH9eSsOAn
cyOx/tGckSgElwcTmxKUhwpc7kYeQDEtWmGAx9ECXZ//sgyR4tlewHu5zMIw/eFiwEu/CWnc9tge
cJu6dOl99SE9k3eA7+TA7ZnJwabf0KKTjMXIjbpmno3JJYkcm+tin0yj6YIvSHLwmVMZir6SrN5d
M5neOmJxataGoyy52ajnJRxgLAiOBrTeZOzCp+jMOhftNHgXzWb+900kXeKQxR+7mvz4huDZ1xqG
KwN2ETOVIs6gZ0C9Pj3e/qT5UBjLV6pa3XJi/OVuWPCL5GFAX98/5LETXGCeR+GmB0esCqXeoGL/
wjTiMLbUO2gZ/h1m3Mr+Rqb0Ecjfi8ZfS4cUX6k4HGAZa2t+Fh0AzON0fqKJLw4ptoxe5VRrechX
Bg2zK0WrU9wugQs24G0VJfKL2dDtPAG5a1h7AgMBAAGgMjAwBgkqhkiG9w0BCQ4xIzAhMA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3DQEBCwUAA4IBgQB9MPRLKIqEWW2f     
acWut+trvSP22uHfyz9oikBcnZmx8RrBDR2A0XJV97fsETcpJxpQeKd6EvCtNWNO/8Tx9ARDLrtL
jaTJSxxh2TgrudLK3sCn3RCcwv1v2jaIWp/VAGzA3SKMImNuCo0ixXAfpd8hynornpKT4nhywaMr
IvwImXfhHS2HNSDLFUZU+e8RDAIFRjDzwbeUrcLCj83XSIKGXfYFth4R+FoHG6tvXif+jXYDoJPa
L1+gXbUZP1q5Nuw+NQEmESFjhNMZ+KgFNMJhdDuFx8SnemanpztTXshNREfcIkVYb3xgJ9ZqrlpI
fKNXILdXRTBI5lbv9sPDiKygu8KCRAmFTufPv2TuZxltmLd3XUEflW5Zyca00RZ17G+3cKNllKg6    
fjMwdG2gU1+qMfu18uVw7cuw+nZ5wHcZn5l2EZ4zuGRXB8VWeIB2Ezu7Aj2xZwG4AZ/JDzt+QhbI
HWzHXIFeGkSNTptmgO3DAlRsdThy1ppBqzVvsSgvObk=
-----END NEW CERTIFICATE REQUEST-----

if I'm wrong so how to do it,Thanks..

Answered by tashian

Oct 17, 2022

Hi!

Here's the output of step certificate inspect on that CSR:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: O=TRUST.TEST,CN=Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: RSA
                Public-Key: (3072 bit)
                Modulus:
                    c6:58:bc:17:db:33:03:75:e2:0d:0b:6f:f5:0c:1b:
                    c8:bc:dc:73:27:fc:0e:1d:80:d0:64:9d:8b:51:4c:
                    ...
                Exponent: 65537 (0x10001)
        Requested Extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Content Commitm…

View full answer

tashian · 2022-10-17T17:44:21Z

tashian
Oct 17, 2022
Collaborator

Hi!

Here's the output of step certificate inspect on that CSR:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: O=TRUST.TEST,CN=Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: RSA
                Public-Key: (3072 bit)
                Modulus:
                    c6:58:bc:17:db:33:03:75:e2:0d:0b:6f:f5:0c:1b:
                    c8:bc:dc:73:27:fc:0e:1d:80:d0:64:9d:8b:51:4c:
                    ...
                Exponent: 65537 (0x10001)
        Requested Extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Content Commitment, Certificate Sign, CRL Sign
    Signature Algorithm: SHA256-RSA
         7d:30:f4:4b:28:8a:84:59:6d:9f:69:c5:ae:b7:eb:6b:bd:23:
         f6:da:e1:df:cb:3f:68:8a:40:5c:9d:99:b1:f1:1a:c1:0d:1d:
         80:d1:72:55:f7:b7:ec:11:37:29:27:1a:50:78:a7:7a:12:f0:
         ...

This CSR is for a CA certificate, but step-ca will only sign leaf certificates.

So, you'll need to sign this one manually using your root CA.
You'd want to use something like step certificate sign csr_file root_ca.crt root_ca_key --profile intermediate-ca

Hope this helps :D

3 replies

zamantech Oct 18, 2022
Author

unfortunately still the same

# step certificate sign ipa.csr .step/certs/root_ca.crt .step/secrets/root_ca_key --profile intermediate-ca
error decoding ipa.csr: contains more than one PEM encoded block
# step certificate sign --profile intermediate-ca --path-len 1 ipa.csr ipa.crt ipa.key
error decoding ipa.csr: contains more than one PEM encoded block

maraino Oct 20, 2022
Maintainer

The profile intermediate-ca will just set the following key usages, if your CSR contains all necessary extensions you can use --profile csr. Alternatively, you can customize it with the --template flag.

This seems to work for me:

$ echo '-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDrDCCAhQCAQAwNTETMBEGA1UEChMKVFJVU1QuVEVTVDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUg
QXV0aG9yaXR5MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxli8F9szA3XiDQtv9Qwb
yLzccyf8Dh2A0GSdi1FM2yJLO/XrvdIxcqt1y7YDLQmHFa7A/HVNj+wzhlQIBPiZSiOyH9eSsOAn
cyOx/tGckSgElwcTmxKUhwpc7kYeQDEtWmGAx9ECXZ//sgyR4tlewHu5zMIw/eFiwEu/CWnc9tge
cJu6dOl99SE9k3eA7+TA7ZnJwabf0KKTjMXIjbpmno3JJYkcm+tin0yj6YIvSHLwmVMZir6SrN5d
M5neOmJxataGoyy52ajnJRxgLAiOBrTeZOzCp+jMOhftNHgXzWb+900kXeKQxR+7mvz4huDZ1xqG
KwN2ETOVIs6gZ0C9Pj3e/qT5UBjLV6pa3XJi/OVuWPCL5GFAX98/5LETXGCeR+GmB0esCqXeoGL/
wjTiMLbUO2gZ/h1m3Mr+Rqb0Ecjfi8ZfS4cUX6k4HGAZa2t+Fh0AzON0fqKJLw4ptoxe5VRrechX
Bg2zK0WrU9wugQs24G0VJfKL2dDtPAG5a1h7AgMBAAGgMjAwBgkqhkiG9w0BCQ4xIzAhMA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMA0GCSqGSIb3DQEBCwUAA4IBgQB9MPRLKIqEWW2f
acWut+trvSP22uHfyz9oikBcnZmx8RrBDR2A0XJV97fsETcpJxpQeKd6EvCtNWNO/8Tx9ARDLrtL
jaTJSxxh2TgrudLK3sCn3RCcwv1v2jaIWp/VAGzA3SKMImNuCo0ixXAfpd8hynornpKT4nhywaMr
IvwImXfhHS2HNSDLFUZU+e8RDAIFRjDzwbeUrcLCj83XSIKGXfYFth4R+FoHG6tvXif+jXYDoJPa
L1+gXbUZP1q5Nuw+NQEmESFjhNMZ+KgFNMJhdDuFx8SnemanpztTXshNREfcIkVYb3xgJ9ZqrlpI
fKNXILdXRTBI5lbv9sPDiKygu8KCRAmFTufPv2TuZxltmLd3XUEflW5Zyca00RZ17G+3cKNllKg6
fjMwdG2gU1+qMfu18uVw7cuw+nZ5wHcZn5l2EZ4zuGRXB8VWeIB2Ezu7Aj2xZwG4AZ/JDzt+QhbI
HWzHXIFeGkSNTptmgO3DAlRsdThy1ppBqzVvsSgvObk=
-----END NEW CERTIFICATE REQUEST-----' > /tmp/1108.csr
$ step certificate sign --profile csr /tmp/1108.csr ~/.step/certs/root_ca.crt ~/.step/secrets/root_ca_key
Please enter the password to decrypt /Users/mariano/.step/secrets/root_ca_key:
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----

But I think the problem is that we're not removing extra lines. If I add another blank line after the end, I see the same problem you're experiencing.

maraino Oct 20, 2022
Maintainer

I've added a PR that will fix this in a future release smallstep/crypto#104

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to sign a FreeIPA CA certificate #1108

{{title}}

Replies: 1 comment 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

How to sign a FreeIPA CA certificate #1108

zamantech Oct 15, 2022

more info:

Replies: 1 comment · 3 replies

tashian Oct 17, 2022 Collaborator

zamantech Oct 18, 2022 Author

maraino Oct 20, 2022 Maintainer

maraino Oct 20, 2022 Maintainer

zamantech
Oct 15, 2022

Replies: 1 comment 3 replies

tashian
Oct 17, 2022
Collaborator

zamantech Oct 18, 2022
Author

maraino Oct 20, 2022
Maintainer

maraino Oct 20, 2022
Maintainer