[Freeipa-users] Installation issues with sub-ca.
Andrea Bontempi
abontempi at dbmsrl.com
Tue Nov 12 14:56:58 UTC 2013
I found the reason for the failure of the installation.
The script uses a NSS db locate under /tmp:
-------------------------------------------------------------------------------
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ipa-ca-agent u,u,u
Certificate Authority - dbmsrl.com ,,c
D.B.M. CA - dbmsrl.com c,c,
testnick P,,
-------------------------------------------------------------------------------
The trust attributes are strange (not trusted) and the chain is broken:
-------------------------------------------------------------------------------
[root at dbm13 cert]# certutil -d [temp db] -O -n "Certificate Authority - dbmsrl.com"
"D.B.M. CA - dbmsrl.com" [O=dbmsrl.com,OU=office,OU=services,CN=D.B.M. CA]
"Certificate Authority - dbmsrl.com" [CN=Certificate Authority,O=DBMSRL.COM]
[root at dbm13 cert]# certutil -d [temp db] -O -n "ipa-ca-agent"
"ipa-ca-agent" [CN=ipa-ca-agent,O=DBMSRL.COM]
-------------------------------------------------------------------------------
I try to export all the certificates in PEM format, if i check the signature with openssl all work perfectly...
The chain is valid, but NSS don't see it for "ipa-ca-agent" certificate.
(sslget return "SSL_ERROR_UNKNOWN_CA_ALERT" when the script try to use this certificate.)
Now i know what is the problem, but i don't know how fix it XD
Can anyone help me?
Thank you
More information about the Freeipa-users
mailing list