[Freeipa-users] exporting ldap certificate
Petr Viktorin
pviktori at redhat.com
Fri Apr 26 08:30:00 UTC 2013
Hello,
On 04/26/2013 07:22 AM, Peter Brown wrote:
> Hi everyone.
>
> I am attempting to get Google Apps to sync with FreeIPA and I am having
> problems getting the sync utility to talk to freeipa.
> It complains about the ssl cert.
> I have it setup so it only accepts ssl or tls encrypted connections and
> I don't want to turn that off.
> I have imported the ca cert using the jre's keytool but it still refuses
> to connect.
> I am getting the impression I need to import the ssl cert for the ldap
> server into it as well.
The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other
certs. Make sure you import it with the right trust level (SSL
certificate signing). Unfortunately I don't know about jre's keytool so
I can't be more specific.
> I have no idea which certificate that is and I have no idea how to
> export it.
Do not do this. You should only explicitly trust the CA cert.
For example, if you trust the certs explicitly you'd have to re-import
them one by one when they are renewed.
> Can someone please tell me how to do this?
If you really want to:
There are two certs, one for httpd (Web UI, XMLRPC & JSON APIs), and one
for the LDAP server.
To export the httpd server certificate (to PEM):
$ certutil -L -d /etc/httpd/alias -n Server-Cert -a
To export the directory server certificate (to PEM):
$ certutil -L -d /etc/dirsrv/slapd-$INSTANCE_NAME/ -n Server-Cert -a
But again, you don't need this for what you're trying to do.
--
Petr³
More information about the Freeipa-users
mailing list