[Freeipa-users] Globalsign External CA Certificate Import Failure
James Scollard
james.scollard at weather.com
Mon Jan 6 17:25:28 UTC 2014
I have it now. The --dirsrv_pkcs12 option seems to like pkcs7 formatted
certificates, but the person who issued it did not set a password, so
FreeIPA will not let me install it to know if it works for sure. I am
having the certificate reissued again with a password in pkcs12 format
and all should be well with the world again.
Thanks for your help and guidance on this. Your level of support is
better than I could have expected.
On 1/6/14 11:01 AM, Rob Crittenden wrote:
> James Scollard wrote:
>> That makes absolute perfect sense. Thanks for the clarification.
>> Unfortunately I have an new issue now. Globalsign has issued me a pkcs7
>> certificate. FreeIPA does not recognize the format:
>>
>> [root at ldapm6x00 ~]# ipa-server-install
>> --dirsrv_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7
>> --http_pkcs7=/root/ldapm6x00.sun.weather.com.pkcs7
>> --root-ca-file=/root/STAR_CA-2048.crt
>> Usage: ipa-server-install [options]
>>
>> ipa-server-install: error: no such option: --dirsrv_pkcs7
>>
>> I need to convert it to pkcs12 using the converter here (awesome free
>> tool):
>>
>> https://www.sslshopper.com/ssl-converter.html
>>
>> I need the server's private key file to convert from pkcs7 to pkcs12,
>> but cant find it anywhere. Is there a command to export it or does it
>> live in /var/lib or /etc somewhere?
>
> The private exists wherever you generated the CSR. If you used openssl
> then it would be in a flat file somewhere. If you used NSS then it
> would be in that database.
>
> rob
--
James E. Scollard III
Senior Cloud Systems Architect
c: 615.730.4387
www.weather.com
View my profile on LinkedIn
More information about the Freeipa-users
mailing list