[Freeipa-users] Third Party Certificate
Florence Blanc-Renaud
flo at redhat.com
Tue Aug 2 15:19:36 UTC 2016
On 08/02/2016 03:17 PM, Ian Harding wrote:
> Hello!
>
> I have been using FreeIPA for a while in our network with 6 replicas and
> it's been working great. I seem to have made a wee mistake though and
> I'd appreciate some help.
>
> I did this:
>
> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>
> on one server because I had a new cert for our internal domain and I
> thought it might be nice to use the same cert for all our internal web
> services.
>
> It worked fine but now when I'm on that server I get
> SEC_ERROR_UNTRUSTED_ISSUER when I run ipa commands. Is there any way I
> can roll this back, or make it work as is?
>
> Thanks!
>
> -Ian
>
Hi Ian,
if the certificate that you installed was issued by a CA not known by
IPA (let's call him the issuer), then you need to add this issuer cert
first using:
ipa-cacert-manage install <issuer certificate file> -n nickname -t C,,
kinit admin
ipa-certupdate
You can check that the issuer cert is properly installed in
/etc/httpd/alias and /etc/ipa/nssdb with:
certutil -L -d /etc/httpd/alias
certutil -L -d /etc/ipa/nssdb
where it should appear with C,, flags
Hope this helps,
Flo.
More information about the Freeipa-users
mailing list