[Freeipa-users] Installing a new Cert

Chris Whittle cwhittl at gmail.com
Tue Aug 26 15:19:23 UTC 2014 

This actually died after restart so I ended up starting over...

So here is the process I did that looks like it works and also survives
restart

Step 1 - Before install
http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894
 -- start at Convert crt file in PEM format and do that whole section
completely

Step 2 - Install IPA server using the p12 file from before and also the
intermediate.crt from your provider (I'm not sure why this isn't documented
anywhere but I found it in my searches)

ipa-server-install --http_pkcs12 DOMAIN.COM.p12  --dirsrv_pkcs12
collectivebias.com.p12 --root-ca-file intermediate.crt

Step 3 - re add certs (for some reason I don't know but it's needed) (from
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP)

ipa-server-certinstall -w --http_pin=PKPASSWORD DOMAIN.COM.p12
ipa-server-certinstall -d --dirsrv_pin=PKPASSWORD DOMAIN.COM.p12

Step 4 reboot
Step 5 You can dance if you wanna...



On Mon, Aug 25, 2014 at 2:02 PM, Chris Whittle <cwhittl at gmail.com> wrote:

> I spoke a little too soon... It's working fine (browser is using new cert
> and also ldaps is using the new cert) except when you go to the certs page
> on the ui.
> https://DOMAIN/ipa/ui/#/e/cert/search
>
> An error has occurred (IPA Error 4301: CertificateOperationError)
>
> Certificate operation cannot be completed: Unable to communicate with CMS
> (Internal Server Error)
>
>
> On Mon, Aug 25, 2014 at 1:34 PM, Chris Whittle <cwhittl at gmail.com> wrote:
>
>> ok I think I got it again...  If anyone is looking for this here is the
>> answer that worked for me....
>>
>>
>>    1. Here are the steps
>>    1.
>>       http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894
>>       -- start at Convert crt file in PEM format and do that whole
>>       section completely
>>       2. Then with the p12 from above you get do this (skip the line
>>       about generating a new one)
>>       http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>>          1. If you run across the error "/etc/ipa/ca.crt contains more
>>          than one certificate" you will need to go into /etc/ipa/ca.crt, back it up
>>          and then try removing one of the certs and try ipa-server-certinstall
>>          from above again (if it doesn't work revert ca.crt to the original and then
>>          remove the other)
>>       3. Then restart the both instances (bottom of the freeipa link)
>>       and you should be good to go.
>>
>>
>> On Mon, Aug 25, 2014 at 8:45 AM, Chris Whittle <cwhittl at gmail.com> wrote:
>>
>>> I found this but I think it's just IPA certs?
>>> http://www.freeipa.org/page/V4/CA_certificate_renewal
>>>
>>> Basically I want to use my existing wildcard cert for https and ldaps...
>>> I did this on my 3.3 install on CentOS but now I'm on a 4 install on
>>> Fedora Core.
>>>
>>> Any help would be more than appreciated!
>>> Thanks!
>>>
>>>
>>> On Mon, Aug 25, 2014 at 6:24 AM, Chris Whittle <cwhittl at gmail.com>
>>> wrote:
>>>
>>>> I have 4 installed and I get it when I try to generate the pk12
>>>> On Aug 25, 2014 3:50 AM, "Jan Cholasta" <jcholast at redhat.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Dne 25.8.2014 v 03:04 Chris Whittle napsal(a):
>>>>>
>>>>>> Trying to do this
>>>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>>>>>>
>>>>>> And I keep getting "Error unable to get local issuer certificate
>>>>>> getting
>>>>>> chain."
>>>>>>
>>>>>
>>>>> Where are you getting this error? ipa-server-certinstall, or httpd, or
>>>>> somewhere else?
>>>>>
>>>>> What version of ipa do you have installed?
>>>>>
>>>>>
>>>>>> I'm wondering if it's because of this from the doc
>>>>>> "The certificate in mysite.crt must be signed by the CA used when
>>>>>> installing FreeIPA."
>>>>>> but it might not either...
>>>>>>
>>>>>
>>>>> In this case you should get a "file.p12 is not signed by
>>>>> /etc/ipa/ca.crt, or the full certificate chain is not present in the
>>>>> PKCS#12 file" error in ipa-server-certinstall.
>>>>>
>>>>>
>>>>>> Any ideas?
>>>>>>
>>>>>>
>>>>>>
>>>>> Honza
>>>>>
>>>>> --
>>>>> Jan Cholasta
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140826/ce72c0b6/attachment.htm>

More information about the Freeipa-users mailing list