[Freeipa-users] Using 3rd party certificates for HTTP/LDAP

[Petr Spacek]

On 10.1.2016 22:21, Peter Pakos wrote:
> On 04/01/2016 12:44, Jan Cholasta wrote:
>>> My question is, what is the correct way of installing a 3rd party
>>> certificate for HTTP/LDAP that will actually work?
>>
>> 1. Install the CA certificate chain of the issuer of the 3rd party
>> certificate to IPA using "ipa-cacert-manage install"
>>
>> 2. Run "ipa-certupdate" to update CA certificate related IPA configuration.
>>
>> 3. Manually import the server certificate into the
>> /etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in
>> LDAP in the nsSSLPersonalitySSL attribute of
>> cn=RSA,cn=encryption,cn=config and restart DS.
>>
>> 4. Manually import the server certificate into the /etc/httpd/alias NSS
>> database, configure the correct nickname in /etc/httpd/conf.d/nss.conf
>> using the NSSNickname directive and restart httpd.
> 
> Is there any chance you can confirm the exact commands I need to run to
> accomplish the above steps? I don't want to risk breaking our production servers.
> 
> BTW, do we have an up-to-date documentation about this process in FreeIPA 4.2?
> I failed to find one.
> 
> Many thanks in advance.

Hello,

I'm attaching two bash script I used to use Let's Encrypt certificate for IPA
HTTPd. You can take some inspiration out of it, just ignore calls to
"letsencrypt" tool which are there for periodic certificate re-generation.

-- 
Petr^2 Spacek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: initial-le-config.sh
Type: application/x-shellscript
Size: 368 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160111/0eba19f1/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: renew.sh
Type: application/x-shellscript
Size: 977 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160111/0eba19f1/attachment-0001.bin>