[Freeipa-users] Installing Using Existing Certificate

[Benjamin Reed]

On 9/6/11 11:56 AM, Benjamin Reed wrote:
> I've gotten a GeoTrust certificate for the host I'm attempting to put
> FreeIPA onto (connect.opennms.com) and I'm now trying to set up an IPA
> server on RHEL 6 and I'm running into an error.  I have a feeling I'm
> missing something obvious and/or fundamental.  =)

I was, in fact, missing something both obvious and fundamental. <g>

So if you have a certificate from a CA that you wish to use for the
"public-facing" portions of your server, you don't in fact need to embed
it into the bowels of FreeIPA, you only need to use it for LDAP and
HTTPS.  Here are the steps I took to get it working (thanks MUCH for the
help from simo and richm on IRC):

First, Set up FreeIPA as you normally would, in my case:
   ipa-server-install --selfsign

Then, get your keys in the right format, as per this page:
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

When attempting to restart the directory server, it failed, because it
didn't have a trust setting for the chained CA certificates:

  certutil -d /etc/dirsrv/slapd-YOUR-DOMAIN -L
  GeoTrust DV SSL CA - GeoTrust Inc.                           ,,
  GeoTrust Global CA - GeoTrust Inc.                           ,,

They should be "CT,," not ",," for things to start up correctly.

I fixed it by telling certutil to trust them:

  certutil -d /etc/dirsrv/slapd-YOUR-DOMAIN -M -n "GeoTrust DV SSL CA -
GeoTrust Inc." -t CT,,
  certutil -d /etc/dirsrv/slapd-YOUR-DOMAIN -M -n "GeoTrust Global CA -
GeoTrust Inc." -t CT,,

Now everything's up and appears to be running.

-- 
Benjamin Reed
The OpenNMS Group
http://www.opennms.org/