From fe5c3c292a7285e1edaefbf9b51104e858dda392 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 25 Aug 2025 16:22:38 +0200
Subject: [PATCH] ipa-4.12.2-22 - Resolves: RHEL-107483   ipa-ca-install fails
 on CA-less replica due to inadequate key usage in master certificate

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
---
 ...ensions-to-server-certificates-for-C.patch | 81 +++++++++++++++++++
 freeipa.spec                                  |  6 +-
 2 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 0108-ipatests-add-extensions-to-server-certificates-for-C.patch

diff --git a/0108-ipatests-add-extensions-to-server-certificates-for-C.patch b/0108-ipatests-add-extensions-to-server-certificates-for-C.patch
new file mode 100644
index 0000000..c46d2e2
--- /dev/null
+++ b/0108-ipatests-add-extensions-to-server-certificates-for-C.patch
@@ -0,0 +1,81 @@
+From 8cfafeffd1ad5266b35a7eb796976e873278f500 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Wed, 14 May 2025 10:44:26 +0200
+Subject: [PATCH] ipatests: add extensions to server certificates for CAless
+ mode
+
+When installing the server in CA less mode, the tests generate
+server certificates but some extensions were missing.
+
+Generate server cert with an Authority Key Identifier extension
+using the CA's subject key identifier.
+
+Without this extension, replica installation fails with
+    certificate verify failed: Missing Authority Key Identifier
+in the step fetching the DM password from the server.
+
+Add KeyUsage and Extended Key Usage.
+
+Fixes: https://pagure.io/freeipa/issue/9787
+Related: https://github.com/dogtagpki/pki/issues/5051
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ .../integration/create_caless_pki.py          | 34 +++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+diff --git a/ipatests/pytest_ipa/integration/create_caless_pki.py b/ipatests/pytest_ipa/integration/create_caless_pki.py
+index 71d804c339cc71bc14e1f819639852e32b54c098..d06f1dd8c328628bd692c2abf3acfc88ba6a7408 100644
+--- a/ipatests/pytest_ipa/integration/create_caless_pki.py
++++ b/ipatests/pytest_ipa/integration/create_caless_pki.py
+@@ -199,6 +199,20 @@ def profile_server(builder, ca_nick, ca,
+             critical=False,
+         )
+ 
++    if ca:
++        try:
++            ski_ext = ca.cert.extensions.get_extension_for_class(
++                x509.SubjectKeyIdentifier)
++            builder = builder.add_extension(
++                x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
++                    ski_ext.value
++                ),
++                critical=False,
++            )
++        except x509.ExtensionNotFound:
++            # if the CA doesn't have a SKI, just ignore
++            pass
++
+     if badusage:
+         builder = builder.add_extension(
+             x509.KeyUsage(
+@@ -214,6 +228,26 @@ def profile_server(builder, ca_nick, ca,
+             ),
+             critical=False
+         )
++    else:
++        builder = builder.add_extension(
++            x509.KeyUsage(
++                digital_signature=True,
++                content_commitment=False,
++                key_encipherment=True,
++                data_encipherment=True,
++                key_agreement=False,
++                key_cert_sign=False,
++                crl_sign=False,
++                encipher_only=False,
++                decipher_only=False
++            ),
++            critical=False
++        )
++
++    builder = builder.add_extension(
++        x509.ExtendedKeyUsage([x509.ObjectIdentifier('1.3.6.1.5.5.7.3.1')]),
++        critical=False,
++    )
+ 
+     if wildcard:
+         names = [x509.DNSName(u'*.' + domain)]
+-- 
+2.50.1
+
diff --git a/freeipa.spec b/freeipa.spec
index 93412d7..79ba886 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -231,7 +231,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        21%{?rc_version:.%rc_version}%{?dist}
+Release:        22%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPL-3.0-or-later
@@ -362,6 +362,7 @@ Patch0104:      0104-Use-correct-capitalization-for-GitHub-and-GitLab.patch
 Patch0105:      0105-kdb-prevent-double-crash-in-RBCD-ACL-free.patch
 Patch0106:      0106-ipatests-Tests-for-ipa-migrate-tool-with-ldif-file.patch
 Patch0107:      0107-dns-disable-all-previous-Unbound-configuration-befor.patch
+Patch0108:      0108-ipatests-add-extensions-to-server-certificates-for-C.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@@ -2015,6 +2016,9 @@ fi
 %endif
 
 %changelog
+* Mon Aug 25 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-22
+- Resolves: RHEL-107483 ipa-ca-install fails on CA-less replica due to inadequate key usage in master certificate
+
 * Mon Aug 18 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.12.2-21
 - Resolves: RHEL-109768 Revert allow update of Kerberos master key