[Freeipa-users] Using 3rd party certificates for HTTP/LDAP (again)
Bjarne Blichfeldt
BJB at jndata.dk
Thu Jun 23 11:39:49 UTC 2016
Following this thread from January:
https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html
I am trying to accomplish the same, but seems to be stuck.
My environment is:
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)
# ipa ping
-------------------------------------------
IPA server version 4.2.0. API version 2.156
-------------------------------------------
# rpm -qa | grep ipa-server
ipa-server-4.2.0-15.el7_2.15.x86_64
As the OP I have both a RootCA and a subCA. But I can't figure out how to install them. ipa-cacert-manage does not work, known bug.
I am testing by changing the server certificate for ldaps on an ipa replica and then run "ldapwhoami" and "ipa-replica-manage -v list" from the master ipa against the replica, but the replica server certificate is never accepted due to missing root certificate.
The problem is how to install the root certificates.
I have tried:
Copy the root certificates to /etc/pki/ca-trust/source/anchors and run update-ca-trust - no go.
Installed the root Ca's in all the nssdb I could think of:
DIR="/etc/httpd/alias /etc/dirsrv/slapd-DNREST-DCBSYS-NET /etc/ipa/nssdb /etc/pki/nssdb"
for dir in $DIR ; do
certutil -d $dir -A -n ECBsubCA -i subCA-sha256.pem -t CT,T,T
certutil -d $dir -A -n ECBrootCA -i rootCA-sha256.pem -t CT,T,T
done
Also no go.
I am out of ideas now.
--
Regards,
Bjarne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160623/9b80d8ef/attachment.htm>
More information about the Freeipa-users
mailing list