[Freeipa-users] Installation issues with sub-ca.
Rob Crittenden
rcritten at redhat.com
Tue Nov 12 16:36:26 UTC 2013
Andrea Bontempi wrote:
> I found the reason for the failure of the installation.
>
> The script uses a NSS db locate under /tmp:
>
> -------------------------------------------------------------------------------
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> ipa-ca-agent u,u,u
> Certificate Authority - dbmsrl.com ,,c
> D.B.M. CA - dbmsrl.com c,c,
> testnick P,,
> -------------------------------------------------------------------------------
>
> The trust attributes are strange (not trusted) and the chain is broken:
>
> -------------------------------------------------------------------------------
> [root at dbm13 cert]# certutil -d [temp db] -O -n "Certificate Authority - dbmsrl.com"
> "D.B.M. CA - dbmsrl.com" [O=dbmsrl.com,OU=office,OU=services,CN=D.B.M. CA]
>
> "Certificate Authority - dbmsrl.com" [CN=Certificate Authority,O=DBMSRL.COM]
>
> [root at dbm13 cert]# certutil -d [temp db] -O -n "ipa-ca-agent"
> "ipa-ca-agent" [CN=ipa-ca-agent,O=DBMSRL.COM]
> -------------------------------------------------------------------------------
>
> I try to export all the certificates in PEM format, if i check the signature with openssl all work perfectly...
>
> The chain is valid, but NSS don't see it for "ipa-ca-agent" certificate.
>
> (sslget return "SSL_ERROR_UNKNOWN_CA_ALERT" when the script try to use this certificate.)
>
> Now i know what is the problem, but i don't know how fix it XD
>
> Can anyone help me?
This is basically what I saw too. I'm waiting on someone from the NSS
team to get back to me. This must have something to do with the way that
OpenSSL validates certs vs NSS. Apparently NSS is being more picky but I
don't know why yet.
rob
More information about the Freeipa-users
mailing list