[Freeipa-users] ipa-certupdate not installing root certificates in /etc/pki/pki-tomcat/alias/

Peter Pakos peter at pakos.pl
Mon Jan 18 00:32:19 UTC 2016 

Hi,

I have FreeIPA 4.2 (CA-ful) install on Centos 7.2 with 3rd party SSL 
certificates installed for HTTP/LDAP.

When I run "ipa-certupdate" I can see that the 3rd party root 
certificates are being removed from databases (/etc/httpd/alias, 
/etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-added (apart from 
/etc/pki/pki-tomcat/alias).

Without the 3rd party root certificates in /etc/pki/pki-tomcat/alias, 
the service pki-tomcatd is unable to start up.

This is the complete process I'm following to install 3rd party 
certificate (please let me know if I'm doing anything wrong):

### 3rd party SSL certificate install ##################################

# Gandi *.ipa.wandisco.com certificate chain
# AddTrust.pem -> USERTrustRSAAddTrustCA.pem -> GandiStandardSSLCA2.pem 
-> star.ipa.wandisco.com.crt

$ openssl verify -verbose -CAfile <(cat AddTrust.pem 
USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem) 
star.ipa.wandisco.com.crt
star.ipa.wandisco.com.crt: OK

# Bug in ipa-cacert-manage, comment out lines 349-352
$ vim 
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py

$ ipa-cacert-manage install AddTrust.pem -n AddTrust -t C,C,C
$ ipa-cacert-manage install USERTrustRSAAddTrustCA.pem -n 
USERTrustRSAAddTrustCA -t C,C,C
$ ipa-cacert-manage install GandiStandardSSLCA2.pem -n 
GandiStandardSSLCA2 -t C,C,C

# Add root certificates to databases <- THIS IS WHERE THE ABOVE ROOT 
CERTIFICATES SHOULD BE INSTALLED IN /etc/pki/pki-tomcat/alias BUT THEY 
AREN'T
$ ipa-certupdate

# Create PKCS12 certificate file including private key and full chain
$ openssl pkcs12 -export -out star.ipa.wandisco.com.pfx -inkey 
star.ipa.wandisco.com.key -in star.ipa.wandisco.com.crt -certfile <(cat 
AddTrust.pem USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem) -name 
'GandiWildcardIPA'

# Install PKCS12 certificate to LDAP and HTTP databases:
$ pk12util -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -i 
star.ipa.wandisco.com.pfx
$ pk12util -d /etc/httpd/alias/ -i star.ipa.wandisco.com.pfx

# Stop IPA
$ ipactl stop

# Edit /etc/dirsrv/slapd-IPA-WANDISCO-COM/dse.ldif to point dirsrv to 
new certificate
# Replace:
nsSSLPersonalitySSL: Server-Cert
# with:
nsSSLPersonalitySSL: GandiWildcardIPA

# Edit /etc/httpd/conf.d/nss.conf to point httpd to new certificate
# Replace:
NSSNickname Server-Cert
# with:
NSSNickname GandiWildcardIPA

# Start IPA
$ ipactl start

#####################################################################

In order to fix this, I have to manually add root certificates to the 
database:

$ certutil -A -d /etc/pki/pki-tomcat/alias/ -n AddTrust -t C,C,C -a < 
AddTrust.pem
$ certutil -A -d /etc/pki/pki-tomcat/alias/ -n USERTrustRSAAddTrustCA -t 
C,C,C -a < USERTrustRSAAddTrustCA.pem
$ certutil -A -d /etc/pki/pki-tomcat/alias/ -n GandiStandardSSLCA2 -t 
C,C,C -a < GandiStandardSSLCA2.pem

Should this not be done automatically by ipa-certupdate?

Are the above steps correct for installing 3rd party certificates in 
FreeIPA 4.2? Should I change anything?

We are planning to move these nodes into production very soon, any help 
would be much appreciated!

-- 
Kind regards,
  Peter Pakos

More information about the Freeipa-users mailing list