[Freeipa-users] Using 3rd party certificates for HTTP/LDAP
Bjarne Blichfeldt
BJB at jndata.dk
Tue Apr 26 13:04:02 UTC 2016
This is a follow-up to https://www.redhat.com/archives/freeipa-users/2016-January/msg00023.html
From: Jan Cholasta <jcholast redhat com>
Peter Pakos <peter pakos pl>, freeipa-users redhat com
My question is, what is the correct way of installing a 3rd party
certificate for HTTP/LDAP that will actually work?
1. Install the CA certificate chain of the issuer of the 3rd party certificate to IPA using "ipa-cacert-manage install"
2. Run "ipa-certupdate" to update CA certificate related IPA configuration.
3. Manually import the server certificate into the /etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in LDAP in the nsSSLPersonalitySSL attribute of cn=RSA,cn=encryption,cn=config and restart DS.
4. Manually import the server certificate into the /etc/httpd/alias NSS database, configure the correct nickname in /etc/httpd/conf.d/nss.conf using the NSSNickname directive and restart httpd.
I am in a similar situation and have some follow-up questions:
ad1: If I run ipa-cacert-manage install --external-cert-file=/path/to/external_ca_certificate-chain, does this simply add the chain as an extra root ca without destroying the existing ipa-ca?
ad3: I assume the import is : certutil -A -d /etc/dirsrv/slapd-REALM. How do I configure the ldap attribute?
Is it just a matter of make the change in /etc/dirsrv/ldap*/dse.ldif and restart?
Also:
Where is the private key in all this? I generate a csr with openssl, send csr to ca, receive certificate, but I don't see any option in certutil to specify the private key. I did find an instruction in importing pkcs12 into nssdb, is this what is meant here?
Our setup:
4 ipa servers, rhel7.2, ipa ping ="IPA server version 4.2.0. API version 2.156"
mix of rhel6 (ipa-client 3.0.xx) and rhel7.1 (ipa-client 4.1.xx),
Regards,
Bjarne Blichfeldt
[cid:image002.png at 01D19FCC.DE1B7060]
JN Data A/S
*
Havsteensvej 4
*
4000 Roskilde
Telefon 63 63 63 63/ Fax 63 63 63 64
www.jndata.dk
[cid:image004.png at 01D19FCC.DE1B7060]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160426/f562bf28/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 410 bytes
Desc: image002.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160426/f562bf28/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 5487 bytes
Desc: image004.png
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160426/f562bf28/attachment-0001.png>
More information about the Freeipa-users
mailing list