On 7/25/19 9:41 AM, Saurabh Garg via FreeIPA-users wrote:
Hi All,
We are trying to install externally signed certificate for WebUI / HTTPS service on our
RHEL IdM servers (primary and replica both).
As the first step, we are trying to install the CA certificate chain of the issuer of the
3rd party certificate to IPA using "ipa-cacert-manage install”
Step:1 ipa-cacert-manage install idm-app-pilot-file.pem
We have put the certificate issued by intermediate CA for the CSR generated at
"/var/lib/ipa/ca.csr" from "ipa-cacert-manage renew --external-ca".
command excepts the certificate as expected.
Hi,
ipa-cacert-manage install needs to be provided with all the CA certs in
your chain, one at a time, starting from the rootCA. For instance, if
your chain is
rootCA > intermediateCA > apache cert
you need to run
ipa-cacert-manage install [...] rootCA
ipa-cacert-manage instaa [...] intermediate CA
ipa-certupdate
Step2: ipa-certupdate
We ran this command on both primary & replica and also the clients registered to the
Step3: ipa-cacert-manage renew --external-cert-file=idm-app-pilot-file.pem
--external-cert-file=ca_chain_cert.pem
In this step, we are running the "ipa-cacert-manage renew" command with renewed
CA certificate and the external CA certificate chain. "ca_chain_cert.pem" has
intermediate and root cert of the signing CA.
Step3 command fails:
this is not the right command for what you want to achieve.
"ipa-cacert-manage renew" would renew IPA CA certificate and replace it
with your external cert.
You need to use ipa-server-certinstall instead, ipa-server-certinstall
--http will install the key/cert provided for the apache server. Please
see ipa-server-certinstall(1) man page for all the options, and [1] for
the official documentation
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
[root@ldmserver01 certs]# ipa-cacert-manage renew
--external-cert-file=idm-app-pilot-file.pem --external-cert-file=ca_chain_cert.pem
Importing the renewed CA certificate, please wait
CA certificate CN=ABC Root CA,ST=California,OU=ABC_CA_Authority,O=ABCInc,L=PaloAlto,C=US
in idm-app-pilot-file.pem, ca_chain_cert.pem is not valid: not a CA certificate
The ipa-cacert-manage command failed.
We have validated our certs using openssl verify -trusted as pasted below:
[root@ldmserver01 certs]# openssl verify -trusted ca_chain_cert.pem
idm-app-pilot-file.pem
idm-app-pilot-file.pem: OK
Could someone please help us with what step we are doing it wrong.
What should be the content expected by IdM server for ca_chain_cert.pem in terms of the
order of root and intermediate section. We have even tried with ca_cert chain appending to
idm-app-pilot-file.pem, but no luck.
Thanks in advance.
Regards,
Saurabh Garg
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...