[Freeipa-users] install with external CA failed
Martin Kosek
mkosek at redhat.com
Tue Mar 11 09:09:32 UTC 2014
On 03/10/2014 09:07 PM, Simo Sorce wrote:
> On Mon, 2014-03-10 at 15:45 -0400, Robert Story wrote:
>> On Mon, 10 Mar 2014 15:44:01 +0100 Jan wrote:
>> JC> On 6.3.2014 05:42, Robert Story wrote:
>> JC> > I'm trying to install on CentOS 6.5 (ipa-server-3.0.0-37.el6.x86_64)
>> JC> > and an external CA. I'm getting this error:
>> JC> > [snip]
>> JC> Can you please run certutil -V on the issuer certificate
>> JC> (CN=Certificate Authority,O=xxx)? That might give us a clue why it is
>> JC> invalid.
>>
>> Unfortunately I've already scrapped that install and just went with the
>> internal self-signed CA. So far, the only annoyance is that the webserver
>> also presents a self-signed cert for the UI. Is it safe to replace just
>> the web cert with a cert signed by my local CA? Or might that break
>> something?
>
> Import the CA cert in your browser.
>
> Simo.
>
Yup, in FreeIPA 4.0 even that step should not be needed given the system shared
CA trust storage:
https://fedorahosted.org/freeipa/ticket/3504
As for now, you can add the CA certificate also via convenience wizards in IPA
UI too:
http://vm-236.idm.lab.eng.brq.redhat.com/ipa/config/unauthorized.html
Martin
More information about the Freeipa-users
mailing list