[Freeipa-users] Third Party Certificate
Ian Harding
ianh at brownpapertickets.com
Tue Aug 2 17:17:50 UTC 2016
YES! Thank you so much.
On 08/02/2016 08:19 AM, Florence Blanc-Renaud wrote:
> On 08/02/2016 03:17 PM, Ian Harding wrote:
>> Hello!
>>
>> I have been using FreeIPA for a while in our network with 6 replicas and
>> it's been working great. I seem to have made a wee mistake though and
>> I'd appreciate some help.
>>
>> I did this:
>>
>> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>>
>> on one server because I had a new cert for our internal domain and I
>> thought it might be nice to use the same cert for all our internal web
>> services.
>>
>> It worked fine but now when I'm on that server I get
>> SEC_ERROR_UNTRUSTED_ISSUER when I run ipa commands. Is there any way I
>> can roll this back, or make it work as is?
>>
>> Thanks!
>>
>> -Ian
>>
> Hi Ian,
>
> if the certificate that you installed was issued by a CA not known by
> IPA (let's call him the issuer), then you need to add this issuer cert
> first using:
> ipa-cacert-manage install <issuer certificate file> -n nickname -t C,,
> kinit admin
> ipa-certupdate
>
> You can check that the issuer cert is properly installed in
> /etc/httpd/alias and /etc/ipa/nssdb with:
> certutil -L -d /etc/httpd/alias
> certutil -L -d /etc/ipa/nssdb
> where it should appear with C,, flags
>
> Hope this helps,
> Flo.
>
--
Ian Harding
IT Director
Brown Paper Tickets
1-800-838-3006 ext 7186
http://www.brownpapertickets.com
More information about the Freeipa-users
mailing list