I can install freeipa with ipa-server-install and no parameters fine. However I want to be able to use IPA as a sub-CA. I have created root and intermediate CAs using openssl and attempt to install ipa server with: /usr/sbin/ipa-server-install --external-cert-file=/root/thisserver.domain.dev.cert.pem \ --external-cert-file=/root/intermediate.cert.pem \ --external-cert-file=/root/root-ca.cert.pem \ --external-ca -n domain.dev -r DOMAIN.DEV \ --hostname="thisserver.domain.dev" \ --subject="O=Acme Inc, L=Springfield, ST=Ohio, C=US" \ --ds-password=topsecret --admin-password=opensesame It stops at step 24 with the following message: [20/28]: Configure HTTP to proxy connections [21/28]: restarting certificate server [22/28]: updating IPA configuration [23/28]: enabling CA instance [24/28]: migrating certificate profiles to LDAP [error] NetworkError: cannot connect to 'https://thisserver.domain.dev:8443/ca/rest/account/login': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) ipapython.admintool: ERROR cannot connect to 'https://thisserver.domain.dev:8443/ca/rest/account/login': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) ipapython.admintool: ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information If I visit the address on port 8443 I do get an error I believe due to an empty certificate. My browser shows: Certificate path length constraint is invalid. Error code: SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID So I have a few questions if anyone can guide me: 1. Can I resume the install to complete the last 4 installation steps? 2. How can I get the install to use a self-signed cert for the http/ldap service OR can I supply a signed cert for that purpose? Thanks in advance. IPA version: 4.6.4-10.el7.centos.2.x86_64 OS: CentOS 7.6