[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall

John Dennis jdennis at redhat.com
Wed May 29 15:12:49 UTC 2013 

On 05/29/2013 09:55 AM, John Moyer wrote:
> John,
>
> 	I see the following when I ran that first command.
>
> sudo certutil -d /etc/httpd/alias -L -h internal
>
> Certificate Nickname                                         Trust Attributes
>                                                               SSL,S/MIME,JAR/XPI
>
> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
> Go Daddy Class 2 Certification Authority - ValiCert, Inc.    ,,
> MyIPA                                                        CTu,Cu,u
>
>
> So being that I have no fear (or am just real dumb, I really feel it's just both) I used that command and got this error after hitting enter to continue:
>
> sudo modutil -add ca_certs -libfile libnssckbi.so -dbdir /etc/httpd/alias
>
> WARNING: Performing this operation while the browser is running could cause
> corruption of your security databases. If the browser is currently running,
> you should exit browser before continuing this operation. Type
> 'q <enter>' to abort, or <enter> to continue:
>
> ERROR: Failed to add module "ca_certs". Probable cause : "Unknown PKCS #11 error.".
>
> I then did the first command again (to see what I messed up) and it looks identical as shown below:
>
> sudo certutil -d /etc/httpd/alias -L -h internal
>
> Certificate Nickname                                         Trust Attributes
>                                                               SSL,S/MIME,JAR/XPI
>
> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
> Go Daddy Class 2 Certification Authority - ValiCert, Inc.    ,,
> MyIPA                                                        CTu,Cu,u

My suggestion would be to do the following.

1) Determine the issuer of your new cert (i.e. who signed it). Do this 
by dumping the text representation of the cert. If one of the certs 
above is the cert in question you can use certutil

% certutil -d /etc/httpd/alias -L -n "xxx"

where xxx is the cert nickname

or via openssl if you have the cert file available (assuming in pem format)

% opnessl x509 -inform PEM -text -in xxx

where xxx is the cert file

look for the issuer field and make note of it.

2) Is the issuer one of the certs in the above listing? If so use 
certutil to add trust flags to it (see certutil web page pointed out 
earlier for examples of adding trust).

If the issuer is not already in the list then acquire the issuer cert 
from godaddy  and add it to the database with trust flags turned on.


-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list