[Freeipa-users] Installation issues with sub-ca.
Rob Crittenden
rcritten at redhat.com
Wed Nov 13 18:09:26 UTC 2013
Andrea Bontempi wrote:
> Ok, this is funny:
>
> -----------------------------------------------------------------------------------------------------
> [root at dbm13 ca_rotta]# certutil -d sql:[nss db] -K
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
> Enter Password or Pin for "NSS Certificate DB":
> < 0> rsa [hidden] ipa-ca-agent
> -----------------------------------------------------------------------------------------------------
>
> The sub-ca doesn't have the private key. This is ridiculous... FreeIPA gave me the CSR...
>
> When i try to validate "ipa-ca-agent" with certutil i get this error:
>
> "Peer's certificate issuer is not recognized"
>
> (obvious if the certificate issuer does not have the private key)
This is incorrect. To validate a certificate you only need the CA public
keys, not the private ones. Only having the ipa-ca-agent key is right.
This is a temporary database, not the CA database. We are using this
cert to request some information about itself from the CA in this case.
I think there is an issue with one of the CA certs but I've yet to
duplicate it or identify what is wrong. I'm still waiting on word back
from one of the NSS devs.
rob
More information about the Freeipa-users
mailing list