OK Thanks a lot for the solution and for the advice. <div class="gmail_quote">2012/9/19 Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">James James wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"> Hi, I have followed this <a href="http://freeipa.org/page/Certificate_Authority#Using_Certificates_From_a_Different_CA" target="_blank">http://freeipa.org/page/Certificate_Authority#Using_Certificates_From_a_Different_CA</a> and everything works well. Now when, from the console, I execute $ ipa user-find I've got [root@ipa ipa]# ipa user-find ipa: ERROR: cert validation failed for "E=<a href="mailto:certusser@example.com" target="_blank">certusser@example.com</a> </div> <mailto:<a href="mailto:certusser@example.com" target="_blank">certusser@example.com</a>>,CN=<a href="http://ipa.example.com" target="_blank">ipa.example.com</a> <<a href="http://ipa.example.com" target="_blank">http://ipa.example.com</a>>,OU=TEST,O=TEST,C=FR"<div class="im"> ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) ipa: ERROR: cannot connect to u'<a href="http://ipa.lix.example.com/ipa/xml" target="_blank">http://ipa.lix.example.com/ipa/xml</a>': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. Any help will be very appreciated .. </div></blockquote> You need to add the CA certificate to /etc/pki/nssdb on the client and mark it as trusted. Note that installing certificates from another CA is not recommended and you may run into further corner cases. If you have an existing CA then installing the IPA dogtag CA as a subordinate is a better long-term solution. rob </blockquote></div>