[Freeipa-users] trust non-IPA certificate client
Rob Crittenden
rcritten at redhat.com
Tue Jan 6 18:49:14 UTC 2015
Stephen Ingram wrote:
> On Fri, Jan 2, 2015 at 10:02 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Stephen Ingram wrote:
> > On Mon, Dec 15, 2014 at 6:40 PM, Stephen Ingram <sbingram at gmail.com <mailto:sbingram at gmail.com>
> > <mailto:sbingram at gmail.com <mailto:sbingram at gmail.com>>> wrote:
> >
> > I have one client using a certificate issued by a third party
> > provider such that any secure (TLS) LDAP queries are refused since
> > the certificates were not issued by IPA. Since there are only
> a few
> > clients with foreign certificates, can the CA simply be added
> to the
> > NSS database used by the 389 directory server so IPA will
> establish
> > a secure connection with them?
> >
> >
> > I should have added, "or do I have to somehow add the certificate
> to the
> > IPA directory?"
>
> Need a little more context here. IPA doesn't use SSL client
> authentication so it shouldn't be an issue. Can you provide more details
> on what the client side is doing and what errors you are seeing?
>
>
> Thanks Rob. I imported the CA into both the httpd and ldap NSS databases
> and it works. Interestingly, I'm currently using version 3.0 of IPA
> which still has the split directories. The CA imported properly into the
> main IPA directory, but would not import into the PKI directory without
> errors on restart. As I only really needed it in the main directory, I'm
> OK for now, however, I'm wondering if this will be a problem when we
> move to version 3.3 and the two directories are combined.
I'd need to see the errors you were getting. I don't see why the
existence of a trusted CA cert would cause a service to not start.
rob
More information about the Freeipa-users
mailing list