On 11/30/2017 10:30 AM, Andrew Radygin via FreeIPA-users wrote:
> On 11/30/2017 08:24 AM, Andrew Radygin via FreeIPA-users wrote:
> Hi,
>
> the ca certs need to be added from the root to the one that issued the
> server cert:
> 1/ ipa-cacert-manage install root.crt + ipa-certupdate
> 2/ ipa-cacert-manage install inter1.crt + ipa-certupdate
> 3/ ipa-cacert-manage install inter2.crt + ipa-certupdate
> 4/ ipa-server-certinstall -w main.crt + restart http service
>
> After step3, you can check that all the CA certs have been added to
> /etc/httpd/alias with
> $ certutil -L -d /etc/httdp/alias
>
> HTH,
> Flo
Florence, I'm already added certs, but probably with wrong order, and now if I'm
trying to add the same but in order you pointed, they aren't adding, even with another
nicknames (with out any error, just don't showing in certutil -L).
Hi,
no need to start over with a different nickname if the certificates are
already in LDAP. "ipa-cacert-manage install" adds them in the LDAP
server below cn=certificates,cn=ipa,cn=etc,$BASEDN, so I would start by
checking if they are all present there:
ldapsearch -h localhost -p 389 -D cn=directory\ manager -W -b
cn=certificates,cn=ipa,cn=etc,$BASEDN
(replace BASEDN with your deployment's basedn that can be found in
/etc/ipa/default.conf)
The entries will also contain an attribute ipakeytrust (either trusted
or distrusted). Please check that they are all trusted.
Maybe it's better to delete all new CA certs from databases and
repeat adding with right order?
How can I delete those certs?
I suppose via certutil, but from what directories and databases should I do that?
I tried something like that:
certutil -D -d /etc/httdp/alias -n "Nickname"
but after ipa-certupdate they show up again.
That is expected as ipa-certupdate
retrieves the certs from LDAP and
installs them in the /etc/httpd/alias NSS database.
By the way, how can I include my private key to ipa-server-certinstall?
Is it just
# ipa-server-certinstall -w comodo.crt comodo.key
?
Also, if I'm trying to install file with only main domain cert (with out chain),
command resulting in error:
# ipa-server-certinstall -w comodo_base.crt comodo.key
Directory Manager password:
Enter private key unlock password:
The full certificate chain is not present in comodo_base.crt, comodo.key
The ipa-server-certinstall command failed.
You can supply multiple files to ipa-server-certinstall, containing the
cert, the key, and the cert chain. For instance
ipa-server-certinstall -w server.cert server.key cachain.cert
where server.cert contains only the cert, server.key only the key, and
cachain.cert contains the root, inter1 and inter2 certs.
Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org