[Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
Rob Crittenden
rcritten at redhat.com
Wed May 29 16:20:25 UTC 2013
John Moyer wrote:
> John,
>
> I see the following when I ran that first command.
>
> sudo certutil -d /etc/httpd/alias -L -h internal
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
> Go Daddy Class 2 Certification Authority - ValiCert, Inc. ,,
> MyIPA CTu,Cu,u
>
>
> So being that I have no fear (or am just real dumb, I really feel it's just both) I used that command and got this error after hitting enter to continue:
>
> sudo modutil -add ca_certs -libfile libnssckbi.so -dbdir /etc/httpd/alias
>
> WARNING: Performing this operation while the browser is running could cause
> corruption of your security databases. If the browser is currently running,
> you should exit browser before continuing this operation. Type
> 'q <enter>' to abort, or <enter> to continue:
>
> ERROR: Failed to add module "ca_certs". Probable cause : "Unknown PKCS #11 error.".
>
> I then did the first command again (to see what I messed up) and it looks identical as shown below:
>
> sudo certutil -d /etc/httpd/alias -L -h internal
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
> Go Daddy Class 2 Certification Authority - ValiCert, Inc. ,,
> MyIPA CTu,Cu,u
These trust flags look really strange.
What is MyIPA, is that your server certificate? It should have a trust
of u,u,u if it is: certutil -M -d /etc/httpd/alias -n MyIPA -t u,u,u
The other two are clearly CAs and should be trusted as so. For each one
I'd do:
certutil -M -d /etc/httpd/alias -n 'nickname' -t CT,,
You can test the trust with:
certutil -V -u V -d /etc/httpd/alias -n MyIPA
I'm guessing that you'll need to do something similar in
/etc/dirsrv/slapd-YOUR-INSTANCE.
rob
More information about the Freeipa-users
mailing list