Holy shit, fixed,
you must keep the original CA (
xxx.com IPA CA) under /etc/http/alias and
/etc/dirsrv/slapd-XXX.
Here is the step how I reverted it back.
# as pki-tomcatd has the original.
certutil -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' -L -a
>orginal.ca
# do it against httpd and dirsrv.
certutil -A -d /etc/httpd/alias/ -n 'XXX.com IPA CA' -t CT,C,C -a -i orginal.ca
Now everything is back to normal, except the 'Server-Cert' was removed and cannot
be restored, as privated key was removed, too. And you cannot extract key from
pki-tomcat/alias.
But it does not matter, httpd and dirsrv rely on Server-Cert, which would be replaced with
my own.
1. # ca-bundle contains 3 files, Root and intermediate cert provided by comodo.
certutil -A -d /etc/dirsrv/slapd-SAP-WINGON-HK/ -n ' Comodo' -t CT,C,C -a -i
ca-bundle.crt
2. Your own key and cert signed by comodo.
cat server.key server.crt > server.all
3. openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in server.all -out
Server-Cert.p12 -name "Server-Cert"
# do it again with dirsrv.
4. pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n Server-Cert
5. verify your cert chain,
certutil -d /etc/dirsrv/slapd-SAP-WINGON-HK/ -n Server-Cert -O
"Comodo" [CN=AddTrust External CA Root,OU=AddTrust External TTP
Network,O=AddTrust AB,C=SE]
"COMODO RSA Certification Authority - AddTrust AB" [CN=COMODO RSA
Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB]
"COMODO RSA Organization Validation Secure Server CA - COMODO CA Limited"
[CN=COMODO RSA Organization Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB]
"Server-Cert" [CN=.......]
6. ipactl restart,
Enjoy it,
I didn't try
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP as
I did something wrong which made server-cert is gone away.
Actually command in this page also use certutil as long as you enable debug mode.