[Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

Günther J. Niederwimmer gjn at gjn.priv.at
Sun Jun 19 10:30:32 UTC 2016 

Hello Rob,

Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden:
> Günther J. Niederwimmer wrote:
> > Hello,
> > 
> > Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden:
> >> Günther J. Niederwimmer wrote:
> >>> Hello
> >>> I found any Help for the IPA Certificate but I found no way to import
> >>> the
> >>> IPA CA ?
> >>> I like to create a webserver with a owncloud virtualhost and other..
> >>> 
> >>> But it is for me not possible to create the /etc/httpd/alias correct ?
> >>> 
> >>> I found this in IPA DOCS
> >>> 
> >>> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
> >>> 
> >>> but with this command line I have a Error /etc/ipa/ca.crt have wrong
> >>> format ?
> >>> 
> >>> Have any a link with a working example
> >> 
> >> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled
> >> clients so the documentation is written from that perspective.
> > 
> > Yes.
> > 
> >> You can grab a copy from any enrolled system, including an IPA Master.
> >> Otherwise the command looks ok assuming you were sitting in
> >> /etc/httpd/alias when the command was executed (-d .).
> > 
> > Yes ;-).
> > but certutil mean it is a wrong format from the Certificate
> 
> $ mkdir /tmp/testdb && cd /tmp/testdb
> $ certutil -N -d .
> $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt

On my system I have this message after install ca.crt

p11-kit: objects of this type cannot be created ?
is this correct ?

A other question, have I to change the Attribute (?), IPA-server create / 
IMPORT this ca.crt with -t "CT,C,C"

> $ certutil -L -d .
> 
> Certificate Nickname                                         Trust
> Attributes
> 
> SSL,S/MIME,JAR/XPI
> 
> EXAMPLE.COM IPA CA                                           CT,,
> 
> I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You
> can use openssl for that:
> 
> $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt
> 
> > Something is wrong on my system !!
> > 
> > for me it is not possible to have on a enrolled ipa-client a working
> > webserver (apache) with mod_NSS
> > 
> > The last Tests apache mean it is the wrong "passwd" for the DB and don't
> > start?
> > 
> > So now I start again with a new clean /etc/httpd/alias
> 
> Not knowing how you created the database or what your nss.conf looks
> like it's hard to say what is going on. If you set a NSS database
> password then you need to tell mod_nss about it.
> 
> Typically you'd set this in nss.conf:
> 
> NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"
> 
> and create /etc/httpd/conf/password.conf with contents like:
> 
> internal:SecretPassword123
> 
> Ensure that the file is owned by apache:apache and mode 0400.

This is the best INFO for this file ;-)

Thanks

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

More information about the Freeipa-users mailing list