[Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store
Nalin Dahyabhai
nalin at redhat.com
Tue Sep 24 16:14:43 UTC 2013
On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote:
> We discussed this with Tomáš off-line and it turns out that
> ipa-client-install fails if the CA cert is not added to
> /etc/pki/nssdb.
>
> However, according to p11-kit docs it should work:
> <http://p11-glue.freedesktop.org/doc/p11-kit/trust-nss.html>. I
> wonder what needs to be done to make it work in IPA...
On my system, there's no symlink to libnssckbi.so (or the right location
in the link farm under /etc/alternatives) in /etc/pki/nssdb, so that
database isn't going to automatically pull in the list of trusted CAs
that p11-kit maintains.
Whether the database under /etc/pki/nssdb should automatically include
the usual set of trust anchors is probably a different conversation.
HTH,
Nalin
More information about the Freeipa-devel
mailing list