[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
Rob Crittenden
rcritten at redhat.com
Fri May 24 19:11:36 UTC 2013
John Moyer wrote:
> So unfortunately a rebuild would be less than optimal for me, lots of servers and users. So I've tried Dmitri's idea of ldapi and I got the access to LDAP now, however I may be going about this entire thing wrong. I created an LDIF file that looks like this:
>
> dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
> changetype: modify
> replace: cacert
> cacert: NEWKEY_ksljdfkljadfkljalksdjfaBLAHBLAH
>
> Then I ran the following:
>
> ldapmodify -x -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D "cn=Directory Manager" -W -f /root/change-settings.ldif
>
> and I get the following error:
>
> Enter LDAP Password:
> modifying entry "cn=cacert,cn=ipa,cn=etc,dc=digitalreasoning,dc=com"
> ldap_modify: Object class violation (65)
> additional info: attribute "cacert" not allowed
>
The attribute you want is caCertificate. What you need to do is convert
your CA cert from PEM format to DER:
openssl x509 -in /etc/ipa/ca.crt -out /tmp/ca.der -outform DER
Then use this ldif:
dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com
changetype: modify
replace: cacertificate;binary
cacertificate;binary:< file:///tmp/ca.der
That should do it.
rob
More information about the Freeipa-users
mailing list