[Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

Tue Jun 21 17:41:24 UTC 2016

Günther J. Niederwimmer wrote:
> Hello Rob,
>
> Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden:
>> Günther J. Niederwimmer wrote:
>>> Hello,
>>>
>>> Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden:
>>>> Günther J. Niederwimmer wrote:
>>>>> Hello
>>>>> I found any Help for the IPA Certificate but I found no way to import
>>>>> the
>>>>> IPA CA ?
>>>>> I like to create a webserver with a owncloud virtualhost and other..
>>>>>
>>>>> But it is for me not possible to create the /etc/httpd/alias correct ?
>>>>>
>>>>> I found this in IPA DOCS
>>>>>
>>>>> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
>>>>>
>>>>> but with this command line I have a Error /etc/ipa/ca.crt have wrong
>>>>> format ?
>>>>>
>>>>> Have any a link with a working example
>>>>
>>>> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled
>>>> clients so the documentation is written from that perspective.
>>>
>>> Yes.
>>>
>>>> You can grab a copy from any enrolled system, including an IPA Master.
>>>> Otherwise the command looks ok assuming you were sitting in
>>>> /etc/httpd/alias when the command was executed (-d .).
>>>
>>> Yes ;-).
>>> but certutil mean it is a wrong format from the Certificate
>>
>> $ mkdir /tmp/testdb && cd /tmp/testdb
>> $ certutil -N -d .
>> $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
>
> On my system I have this message after install ca.crt
>
> p11-kit: objects of this type cannot be created ?
> is this correct ?

I'm not sure.

> A other question, have I to change the Attribute (?), IPA-server create /
> IMPORT this ca.crt with -t "CT,C,C"

It isn't super important. The order of those fields is SSL, S/MIME, 
code-signing. Chances are S/MIME will never be used and code-signing is 
used in some older releases but only once at install, so not having 
those set isn't a big deal.

If you want things to be consistent you can use certutil -M -d . -t 
CT,C,C -n 'EXAMPLE.COM IPA CA'

rob

>
>> $ certutil -L -d .
>>
>> Certificate Nickname                                         Trust
>> Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> EXAMPLE.COM IPA CA                                           CT,,
>>
>> I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You
>> can use openssl for that:
>>
>> $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt
>>
>>> Something is wrong on my system !!
>>>
>>> for me it is not possible to have on a enrolled ipa-client a working
>>> webserver (apache) with mod_NSS
>>>
>>> The last Tests apache mean it is the wrong "passwd" for the DB and don't
>>> start?
>>>
>>> So now I start again with a new clean /etc/httpd/alias
>>
>> Not knowing how you created the database or what your nss.conf looks
>> like it's hard to say what is going on. If you set a NSS database
>> password then you need to tell mod_nss about it.
>>
>> Typically you'd set this in nss.conf:
>>
>> NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"
>>
>> and create /etc/httpd/conf/password.conf with contents like:
>>
>> internal:SecretPassword123
>>
>> Ensure that the file is owned by apache:apache and mode 0400.
>
> This is the best INFO for this file ;-)
>
> Thanks
>