<div dir="ltr">I've now set up a test box using exactly the same install command, SSL certificate etc...<div><br></div><div>The /etc/ipa/ca.crt contains only 3 certificates but they are not CA certificates that were included in the PKCS12 file:</div><div><br></div><div><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap">[root@dupa temp]# for i in {1..3}; do echo cert${i}; openssl x509 -in cert${i} -noout -text | grep -i 'issuer:\|subject:'; done
cert1
        Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
        Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
cert2
        Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
        Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
cert3
        Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
        Subject: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2</pre><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"><span style="font-family:arial,helvetica,sans-serif"><br></span></pre><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"><span style="font-family:arial,helvetica,sans-serif">So out of the box, the certificate "</span><span style="font-family:arial,helvetica,sans-serif">USERTrust RSA Certification Authority</span><span style="font-family:arial,helvetica,sans-serif">" is listed there twice.</span><br></pre><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"><pre style="word-wrap:break-word;white-space:pre-wrap">[root@dupa temp]# certutil -L -d /etc/pki/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

AddTrust External CA Root - AddTrust AB                      ,,
USERTrust RSA Certification Authority - AddTrust AB          ,,
Gandi Standard SSL CA 2 - The USERTRUST Network              C,,
<br></pre><pre style="word-wrap:break-word;white-space:pre-wrap">[root@dupa temp]# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

GandiWildcardIPA                                             u,u,u
AddTrust External CA Root - AddTrust AB                      ,,
USERTrust RSA Certification Authority - AddTrust AB          ,,
Gandi Standard SSL CA 2 - The USERTRUST Network              C,,
<br></pre><pre style="word-wrap:break-word;white-space:pre-wrap">[root@dupa temp]# certutil -L -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

GandiWildcardIPA                                             u,u,u
AddTrust External CA Root - AddTrust AB                      ,,
USERTrust RSA Certification Authority - AddTrust AB          ,,
Gandi Standard SSL CA 2 - The USERTRUST Network              C,,</pre></pre><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"><br></pre><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"><font face="arial, helvetica, sans-serif">Please note, in the databases the certificate "USERTrust RSA Certification Authority - AddTrust AB" is only listed once.</font></pre><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap">How do I fix our production installation?</pre><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"><span style="font-family:arial,sans-serif;color:rgb(34,34,34)">-- </span><br></pre><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Kind regards,<div> Peter Pakos</div></div></div>
</div></div>