[Freeipa-users] Installation issues with sub-ca.
Andrea Bontempi
abontempi at dbmsrl.com
Thu Nov 14 08:29:35 UTC 2013
> This is incorrect. To validate a certificate you only need the CA public
> keys, not the private ones. Only having the ipa-ca-agent key is right.
> This is a temporary database, not the CA database. We are using this
> cert to request some information about itself from the CA in this case.
You're right, I thought that the script use a temporary db to create the final database, but it's only to connect with sslget.
> I think there is an issue with one of the CA certs but I've yet to
> duplicate it or identify what is wrong. I'm still waiting on word back
> from one of the NSS devs.
I did some tests: The error occurs when I use a CA managed by EJBCA, if I use a CA generated by openssl or nss everything works properly.
The problem is that i can't reproduce the bug in an external nss db... but maybe I don't follow the same steps that uses the installation script.
Andrea Bontempi
More information about the Freeipa-users
mailing list