[Freeipa-users] EXAMPLE.COM IPA CA Import /etc/httpd/alias

Youenn PIOLET piolet.y at gmail.com
Wed Jun 22 15:24:11 UTC 2016 

Hi Günther,

I wrote this wrapper last year, maybe this will help.

https://github.com/uZer/rootools/blob/master/pki/freeipa/gencerts.sh

If you use cnames:
==================================================================
$ ipa host-add cname.domain --force
$ ipa service-add service/fqdn
$ ipa service-add service/cname.domain --force
$ ipa service-add-host service/cname.domain --host fqdn

In nss.conf
==================================================================
#NSSPassPhraseDialog builtin
NSSPassPhraseDialog file:/etc/apache2/password.conf


In your virtual host:
==================================================================

NSSEngine on
NSSNickname certifnickname
NSSCertificateDatabase /path/to/db
NSSProtocol TLSv1.1,TLSv1.2

NSSVerifyClient none

# Update this with current recommended ciphersuites
NSSCipherSuite
+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
  ...

Hope this is still correct, feel free to push request ;)

Regards,


--
Youenn Piolet
piolet.y at gmail.com


2016-06-21 19:41 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:

> Günther J. Niederwimmer wrote:
>
>> Hello Rob,
>>
>> Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden:
>>
>>> Günther J. Niederwimmer wrote:
>>>
>>>> Hello,
>>>>
>>>> Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden:
>>>>
>>>>> Günther J. Niederwimmer wrote:
>>>>>
>>>>>> Hello
>>>>>> I found any Help for the IPA Certificate but I found no way to import
>>>>>> the
>>>>>> IPA CA ?
>>>>>> I like to create a webserver with a owncloud virtualhost and other..
>>>>>>
>>>>>> But it is for me not possible to create the /etc/httpd/alias correct ?
>>>>>>
>>>>>> I found this in IPA DOCS
>>>>>>
>>>>>> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
>>>>>>
>>>>>> but with this command line I have a Error /etc/ipa/ca.crt have wrong
>>>>>> format ?
>>>>>>
>>>>>> Have any a link with a working example
>>>>>>
>>>>>
>>>>> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled
>>>>> clients so the documentation is written from that perspective.
>>>>>
>>>>
>>>> Yes.
>>>>
>>>> You can grab a copy from any enrolled system, including an IPA Master.
>>>>> Otherwise the command looks ok assuming you were sitting in
>>>>> /etc/httpd/alias when the command was executed (-d .).
>>>>>
>>>>
>>>> Yes ;-).
>>>> but certutil mean it is a wrong format from the Certificate
>>>>
>>>
>>> $ mkdir /tmp/testdb && cd /tmp/testdb
>>> $ certutil -N -d .
>>> $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt
>>>
>>
>> On my system I have this message after install ca.crt
>>
>> p11-kit: objects of this type cannot be created ?
>> is this correct ?
>>
>
> I'm not sure.
>
> A other question, have I to change the Attribute (?), IPA-server create /
>> IMPORT this ca.crt with -t "CT,C,C"
>>
>
> It isn't super important. The order of those fields is SSL, S/MIME,
> code-signing. Chances are S/MIME will never be used and code-signing is
> used in some older releases but only once at install, so not having those
> set isn't a big deal.
>
> If you want things to be consistent you can use certutil -M -d . -t CT,C,C
> -n 'EXAMPLE.COM IPA CA'
>
> rob
>
>
>
>> $ certutil -L -d .
>>>
>>> Certificate Nickname                                         Trust
>>> Attributes
>>>
>>> SSL,S/MIME,JAR/XPI
>>>
>>> EXAMPLE.COM IPA CA                                           CT,,
>>>
>>> I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You
>>> can use openssl for that:
>>>
>>> $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt
>>>
>>> Something is wrong on my system !!
>>>>
>>>> for me it is not possible to have on a enrolled ipa-client a working
>>>> webserver (apache) with mod_NSS
>>>>
>>>> The last Tests apache mean it is the wrong "passwd" for the DB and don't
>>>> start?
>>>>
>>>> So now I start again with a new clean /etc/httpd/alias
>>>>
>>>
>>> Not knowing how you created the database or what your nss.conf looks
>>> like it's hard to say what is going on. If you set a NSS database
>>> password then you need to tell mod_nss about it.
>>>
>>> Typically you'd set this in nss.conf:
>>>
>>> NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"
>>>
>>> and create /etc/httpd/conf/password.conf with contents like:
>>>
>>> internal:SecretPassword123
>>>
>>> Ensure that the file is owned by apache:apache and mode 0400.
>>>
>>
>> This is the best INFO for this file ;-)
>>
>> Thanks
>>
>>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160622/31807140/attachment.htm>

More information about the Freeipa-users mailing list