Can you please anyone suggest on this From: Polavarapu Manideep Sai via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org&gt; Sent: 29 October 2022 19:23 To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org&gt; Cc: Polavarapu Manideep Sai <manideep.sai(a)onmobile.com&gt; Subject: [Freeipa-users] Installing Third-Party Certificates-Help CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. Hi Team, We need your help or support I have a master IPA server and 2 Replica IPA Servers, i want to install third party certificates in my setup a. master.ipa.example.com b. replica1.ipa.example.com c. replica2.ipa.example.com 1. Generated new CSR/wildcard certificate on master IPA server for the domain "*.ipa.example.com" and shared to third party vendor and they have shared two zip files one for apache and other for tomcat as shown below, i see crt and pem files in zip files as shown below after unzip a. _.ipa.onmobile.com_Apache.zip b. _.ipa.onmobile.com_TOMCAT.zip unzipped: [root@dir01 tmp]# tree Apache/ Apache/ ├── 1f1f7ab616938168.crt ├── 1f1f7ab616938168.pem ├── gd_bundle-g2-g1.crt └── _.ipa.onmobile.com_Apache.zip 0 directories, 4 files [root@dir01 tmp]# tree Tomcat/ Tomcat/ ├── 1f1f7ab616938168.crt ├── 1f1f7ab616938168.pem ├── gd_bundle-g2-g1.crt ├── gdig2.crt.pem └── _.ipa.onmobile.com_TOMCAT.zip 0 directories, 5 files 2. Followed the Redhat documentation but not understood which of the following one is applicable in my case for the received certificates Installing Third-Party Certificates for HTTP or LDAP Installing a CA Certificate Manually https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... Can you please let us know the step by step procedure that how to install the certificates can you please also comment on below query 3. If i install the certificate will it get replaced in "/etc/pki/pki-tomcat/alias/" database as well? along with httpd and dirsrv databases ? /etc/pki/pki-tomcat/alias/ /etc/httpd/alias/ /etc/dirsrv/slapd-IPA-EXAMPLE-COM Please let us know if any more details required Sai ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.

Hi Florence As per your suggestion I have followed "Installing a CA Certificate Manually" guide We are getting below error uoon executing [root@central ~]# ipa-cacert-manage install /tmp/Apache/1f1f7ab616938168.pem -v ipa: DEBUG: importing plugin module ipaserver.plugins.whoami ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection context.ldap2_49475728 Installing CA certificate, please wait ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA-ONMOBILE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4cdb170> ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /tmp/tmpW6jE9j -N -f /tmp/tmpW6jE9j/pwdfile.txt -f /tmp/tmpW6jE9j/pwdfile.txt ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /tmp/tmpW6jE9j -A -n CN=*.ipa.example.com -t C,, -f /tmp/tmpW6jE9j/pwdfile.txt ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /tmp/tmpW6jE9j -A -n IPA.EXAMPLE.COM IPA CA -t CT,C,C -f /tmp/tmpW6jE9j/pwdfile.txt ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection context.ldap2_49475728 ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 119, in run rc = self.install() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 365, in install "troubleshooting guide)" % e) ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The ipa-cacert-manage command failed, exception: ScriptError: Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: The ipa-cacert-manage command failed. [root@central~]# Please guide us to proceed further Regards Sai From: Florence Blanc-Renaud <flo(a)redhat.com&gt; Sent: 31 October 2022 19:12 To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org&gt; Cc: Polavarapu Manideep Sai <manideep.sai(a)onmobile.com&gt; Subject: Re: [Freeipa-users] Installing Third-Party Certificates-Help CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. Hi, On Sat, Oct 29, 2022 at 3:53 PM Polavarapu Manideep Sai via FreeIPA-users <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> wrote: Hi Team, We need your help or support I have a master IPA server and 2 Replica IPA Servers, i want to install third party certificates in my setup a. master.ipa.example.com<http://master.ipa.example.com> b. replica1.ipa.example.com<http://replica1.ipa.example.com> c. replica2.ipa.example.com<http://replica2.ipa.example.com> 1. Generated new CSR/wildcard certificate on master IPA server for the domain "*.ipa.example.com<http://ipa.example.com>" and shared to third party vendor and they have shared two zip files one for apache and other for tomcat as shown below, i see crt and pem files in zip files as shown below after unzip a. _.ipa.onmobile.com_Apache.zip b. _.ipa.onmobile.com_TOMCAT.zip unzipped: [root@dir01 tmp]# tree Apache/ Apache/ ├── 1f1f7ab616938168.crt ├── 1f1f7ab616938168.pem ├── gd_bundle-g2-g1.crt └── _.ipa.onmobile.com_Apache.zip 0 directories, 4 files [root@dir01 tmp]# tree Tomcat/ Tomcat/ ├── 1f1f7ab616938168.crt ├── 1f1f7ab616938168.pem ├── gd_bundle-g2-g1.crt ├── gdig2.crt.pem └── _.ipa.onmobile.com_TOMCAT.zip 0 directories, 5 files 2. Followed the Redhat documentation but not understood which of the following one is applicable in my case for the received certificates Installing Third-Party Certificates for HTTP or LDAP Installing a CA Certificate Manually https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... Can you please let us know the step by step procedure that how to install the certificates The certificate that you received has been signed by the vendor's CA (Certificate Authority). This CA needs to be trusted by IPA, this is achieved by following the steps from "Installing a CA Certificate Manually". Note that the vendor may provide you with a CA chain, in which case the top-level CA and all the intermediate CAs need to be trusted by IPA. When the CA chain is trusted, you can then install the new certificate for apache, following "Installing Third-Party Certificates for HTTP or LDAP". can you please also comment on below query 3. If i install the certificate will it get replaced in "/etc/pki/pki-tomcat/alias/" database as well? along with httpd and dirsrv databases ? /etc/pki/pki-tomcat/alias/ /etc/httpd/alias/ /etc/dirsrv/slapd-IPA-EXAMPLE-COM It depends on which certificate you want to replace: - If ipa-server-install is run with --http, the provided certificate will replace the Server-Cert in /etc/httpd/alias. This is the server certificate for Apache/httpd. - If ipa-server-install is run with --dirsrv, the provided certificate will replace the Server-Cert in /etc/dirsrv/slapd-IPA-EXAMPLE-COM. This is the server certificate for the LDAP server. The command does not replace the certificate in /etc/pki/pki-tomcat/alias/. This NSS database contains the certificates related to PKI (the Certificate Server for IPA). The instructions from "Installing a CA Certificate Manually" add the CA chain in the 3 NSS databases you mentioned (they do not replace IPA CA but rather add new CA). Hope this clarifies, flo Please let us know if any more details required Sai ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.

Hi Florence, Can also comment on “Enter private key unlock password” Where/how do we get this password from? Regards Sai From: Polavarapu Manideep Sai Sent: 18 January 2023 00:10 To: 'Florence Blanc-Renaud' <flo(a)redhat.com>; 'FreeIPA users list' <freeipa-users(a)lists.fedorahosted.org&gt; Subject: RE: [Freeipa-users] Installing Third-Party Certificates-Help Hi Florence Can you please guide us We are getting below errors 1. Installing a CA Certificate Manually [root@centralaaa01 Apache]# [root@centralaaa01 Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. [root@centralaaa01 Apache]# [root@centralaaa01 Apache]# ls ============================================================= 1. Installing Third-Party Certificates for HTTP or LDAP [root@centralaaa01 Apache]# ipa-server-certinstall --http --dirsrv /root/central.key 1f1f7ab616938168.crt Directory Manager password: Enter private key unlock password: The full certificate chain is not present in /root/central.key, 1f1f7ab616938168.crt The ipa-server-certinstall command failed. [root@centralaaa01 Apache]# Regards Sai From: Polavarapu Manideep Sai Sent: 20 November 2022 21:37 To: 'Florence Blanc-Renaud' <flo@redhat.com<mailto:flo@redhat.com>>; FreeIPA users list <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> Subject: RE: [Freeipa-users] Installing Third-Party Certificates-Help Hi Florence As per your suggestion I have followed "Installing a CA Certificate Manually" guide We are getting below error uoon executing [root@central ~]# ipa-cacert-manage install /tmp/Apache/1f1f7ab616938168.pem -v ipa: DEBUG: importing plugin module ipaserver.plugins.whoami ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection context.ldap2_49475728 Installing CA certificate, please wait ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-IPA-ONMOBILE-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x4cdb170> ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /tmp/tmpW6jE9j -N -f /tmp/tmpW6jE9j/pwdfile.txt -f /tmp/tmpW6jE9j/pwdfile.txt ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /tmp/tmpW6jE9j -A -n CN=*.ipa.example.com -t C,, -f /tmp/tmpW6jE9j/pwdfile.txt ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa: DEBUG: Starting external process ipa: DEBUG: args=/usr/bin/certutil -d /tmp/tmpW6jE9j -A -n IPA.EXAMPLE.COM IPA CA -t CT,C,C -f /tmp/tmpW6jE9j/pwdfile.txt ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout= ipa: DEBUG: stderr= ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection context.ldap2_49475728 ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 119, in run rc = self.install() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py", line 365, in install "troubleshooting guide)" % e) ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The ipa-cacert-manage command failed, exception: ScriptError: Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: The ipa-cacert-manage command failed. [root@central~]# Please guide us to proceed further Regards Sai From: Florence Blanc-Renaud <flo@redhat.com<mailto:flo@redhat.com>> Sent: 31 October 2022 19:12 To: FreeIPA users list <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> Cc: Polavarapu Manideep Sai <manideep.sai@onmobile.com<mailto:manideep.sai@onmobile.com>> Subject: Re: [Freeipa-users] Installing Third-Party Certificates-Help CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. Hi, On Sat, Oct 29, 2022 at 3:53 PM Polavarapu Manideep Sai via FreeIPA-users <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> wrote: Hi Team, We need your help or support I have a master IPA server and 2 Replica IPA Servers, i want to install third party certificates in my setup a. master.ipa.example.com<http://master.ipa.example.com> b. replica1.ipa.example.com<http://replica1.ipa.example.com> c. replica2.ipa.example.com<http://replica2.ipa.example.com> 1. Generated new CSR/wildcard certificate on master IPA server for the domain "*.ipa.example.com<http://ipa.example.com>" and shared to third party vendor and they have shared two zip files one for apache and other for tomcat as shown below, i see crt and pem files in zip files as shown below after unzip a. _.ipa.onmobile.com_Apache.zip b. _.ipa.onmobile.com_TOMCAT.zip unzipped: [root@dir01 tmp]# tree Apache/ Apache/ ├── 1f1f7ab616938168.crt ├── 1f1f7ab616938168.pem ├── gd_bundle-g2-g1.crt └── _.ipa.onmobile.com_Apache.zip 0 directories, 4 files [root@dir01 tmp]# tree Tomcat/ Tomcat/ ├── 1f1f7ab616938168.crt ├── 1f1f7ab616938168.pem ├── gd_bundle-g2-g1.crt ├── gdig2.crt.pem └── _.ipa.onmobile.com_TOMCAT.zip 0 directories, 5 files 2. Followed the Redhat documentation but not understood which of the following one is applicable in my case for the received certificates Installing Third-Party Certificates for HTTP or LDAP Installing a CA Certificate Manually https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... Can you please let us know the step by step procedure that how to install the certificates The certificate that you received has been signed by the vendor's CA (Certificate Authority). This CA needs to be trusted by IPA, this is achieved by following the steps from "Installing a CA Certificate Manually". Note that the vendor may provide you with a CA chain, in which case the top-level CA and all the intermediate CAs need to be trusted by IPA. When the CA chain is trusted, you can then install the new certificate for apache, following "Installing Third-Party Certificates for HTTP or LDAP". can you please also comment on below query 3. If i install the certificate will it get replaced in "/etc/pki/pki-tomcat/alias/" database as well? along with httpd and dirsrv databases ? /etc/pki/pki-tomcat/alias/ /etc/httpd/alias/ /etc/dirsrv/slapd-IPA-EXAMPLE-COM It depends on which certificate you want to replace: - If ipa-server-install is run with --http, the provided certificate will replace the Server-Cert in /etc/httpd/alias. This is the server certificate for Apache/httpd. - If ipa-server-install is run with --dirsrv, the provided certificate will replace the Server-Cert in /etc/dirsrv/slapd-IPA-EXAMPLE-COM. This is the server certificate for the LDAP server. The command does not replace the certificate in /etc/pki/pki-tomcat/alias/. This NSS database contains the certificates related to PKI (the Certificate Server for IPA). The instructions from "Installing a CA Certificate Manually" add the CA chain in the 3 NSS databases you mentioned (they do not replace IPA CA but rather add new CA). Hope this clarifies, flo Please let us know if any more details required Sai ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited.