[Freeipa-users] exporting ldap certificate
Peter Brown
rendhalver at gmail.com
Tue May 7 08:37:42 UTC 2013
On 7 May 2013 16:50, Martin Kosek <mkosek at redhat.com> wrote:
> On 05/07/2013 04:51 AM, Peter Brown wrote:
> > On 6 May 2013 17:07, Martin Kosek <mkosek at redhat.com
> > <mailto:mkosek at redhat.com>> wrote:
> >
> > I am glad you made it working. Just for the record, CRL and OCSP
> revocation
> > URIs in FreeIPA v3.1 were flawed, there are relevant fixes in
> FreeIPA 3.2 that
> > will make it working again.
> >
> >
> > Thanks for the heads up Martin.
> > I will likely upgrade to 3.2 once Fedora 19 is released.
> >
> > I am going to assume my 3.1 clients will be compatible?
>
> Yes, this is a correct assumption. BTW we are just in a process of testing
> and
> releasing FreeIPA 3.1.4 bugfixing release for Fedora 18 which will also
> contain
> the CRL/OCSP URI fixes (will happen this week). Any help with testing 3.1.4
> when it is released is appreciated.
>
Awesome.
I shall install them and let you know how I go.
>
> Martin
>
> >
> >
> >
> > More information can be found out in FreeIPA.org wiki:
> > http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs
> >
> > Relevant upstream ticket:
> > https://fedorahosted.org/freeipa/ticket/3552
> >
> > Martin
> >
> > On 04/29/2013 06:59 AM, Peter Brown wrote:
> > > I finally got this to work.
> > >
> > > I managed to get an error message that told me it couldn't check
> the
> > revocation
> > > of the certificates against a crl.
> > > I tried to find out how to tell java where to find that crl but I
> these
> > > discovered these options instead to tell java to not check a crl.
> > > -Dcom.sun.net.ssl.checkRevocation=false
> > > -Dcom.sun.security.enableCRLDP=false
> > >
> > >
> > > On 26 April 2013 18:30, Petr Viktorin <pviktori at redhat.com
> > <mailto:pviktori at redhat.com>
> > > <mailto:pviktori at redhat.com <mailto:pviktori at redhat.com>>> wrote:
> > >
> > > Hello,
> > >
> > >
> > > On 04/26/2013 07:22 AM, Peter Brown wrote:
> > >
> > > Hi everyone.
> > >
> > > I am attempting to get Google Apps to sync with FreeIPA
> and I am
> > having
> > > problems getting the sync utility to talk to freeipa.
> > > It complains about the ssl cert.
> > > I have it setup so it only accepts ssl or tls encrypted
> > connections and
> > > I don't want to turn that off.
> > > I have imported the ca cert using the jre's keytool but it
> still
> > refuses
> > > to connect.
> > > I am getting the impression I need to import the ssl cert
> for the
> > ldap
> > > server into it as well.
> > >
> > >
> > > The CA cert (/etc/ipa/ca.crt) should be enough, it signs all
> the other
> > > certs. Make sure you import it with the right trust level (SSL
> > certificate
> > > signing). Unfortunately I don't know about jre's keytool so I
> can't
> > be more
> > > specific.
> > >
> > >
> > >
> > > I have no idea which certificate that is and I have no
> idea how to
> > > export it.
> > >
> > >
> > > Do not do this. You should only explicitly trust the CA cert.
> > > For example, if you trust the certs explicitly you'd have to
> > re-import them
> > > one by one when they are renewed.
> > >
> > >
> > > Can someone please tell me how to do this?
> > >
> > >
> > > If you really want to:
> > > There are two certs, one for httpd (Web UI, XMLRPC & JSON
> APIs), and one
> > > for the LDAP server.
> > > To export the httpd server certificate (to PEM):
> > > $ certutil -L -d /etc/httpd/alias -n Server-Cert -a
> > > To export the directory server certificate (to PEM):
> > > $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE___NAME/ -n
> Server-Cert -a
> > > But again, you don't need this for what you're trying to do.
> > >
> > > --
> > > Petrł
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Freeipa-users mailing list
> > > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130507/2474c45a/attachment.htm>
More information about the Freeipa-users
mailing list