[Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
Jan Cholasta
jcholast at redhat.com
Tue Sep 24 11:30:10 UTC 2013
On 24.9.2013 12:26, Jan Cholasta wrote:
> Hi,
>
> On 24.9.2013 12:03, Tomas Babej wrote:
>> Hi,
>>
>> During the installation, copy the CA certificate to the systemwide
>> store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
>> systemwide CA database.
>>
>> This allows browsers to access IPA WebUI without warning out of the
>> box.
>>
>> https://fedorahosted.org/freeipa/ticket/3504
>>
>
> I think you should update /etc/pki/nssdb manually only if update-ca-cert
> fails.
>
> Honza
>
We discussed this with Tomáš off-line and it turns out that
ipa-client-install fails if the CA cert is not added to /etc/pki/nssdb.
However, according to p11-kit docs it should work:
<http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html>. I wonder
what needs to be done to make it work in IPA...
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list