[Freeipa-users] Using 3rd party certificates for HTTP/LDAP
Peter Pakos
peter at pakos.pl
Fri Jan 15 15:16:53 UTC 2016
On 15/01/2016 15:04, Rob Crittenden wrote:
> Discussed in IRC last night but for the sake of history, he needed to
> add the CA's to the dogtag NSS database in
> /var/lib/pki/pki-tomcat/alias/ with a trust of C,,.
Yes, I added new root certificates to /etc/pki/pki-tomcat/alias and I
was able to start all services.
I've noticed that ipa-certupdate command removes them and we're back to
square one. Why is it doing this? Which database is it retrieving
certificates from?
I've re-run ipa-certupdate in verbose mode and I could see that it
removes all certificates in different databases (/etc/httpd/alias,
/etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-adds them (apart
from /etc/pki/pki-tomcat/alias).
Also, what is the correct process for renewing 3rd party certificate?
Will it be pushed automatically to all servers/clients? I don't want to
be in trouble when it comes to renewing it.
Thanks.
--
Kind regards,
Peter Pakos
More information about the Freeipa-users
mailing list