[Freeipa-users] Where should the CA Location
Florence Blanc-Renaud
frenaud at redhat.com
Thu Jun 30 15:25:31 UTC 2016
Hi,
it looks like the NSS db for slapd-ABX-com does not contain the full
cert chain. You can run certutil -L -d /etc/dirsv/slapd-ABX-com and
check if there is a certificate for your issuer, and if it has the C,,
flags at least.
For instance, in my setup I am using ca2/server certificate for slapd,
and this certificate was issued by ca2:
$ certutil -L -d /etc/dirsrv/slapd-xxx
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
ca2/server u,u,u
ca2 C,,
Flo.
On 06/29/2016 12:26 PM, barrykfl at gmail.com wrote:
> It is 3.0 version cannot use those commands.
>
> 2016-06-25 2:06 GMT+08:00 Florence Blanc-Renaud <frenaud at redhat.com
> <mailto:frenaud at redhat.com>>:
>
> Hi
>
> Disclaimer: I'm new on this mailing list but willing to share
> experience :)
>
> Did you use "ipa-cacert-manage install -t C,," to install your
> external CA certificate? This command copies the certificate in
> cn=certificates,cn=ipa,cn=etc,dc=xxx
>
> After this, you can use ipa-certupdate which will put the CA cert in
> all the needed NSS databases and update the nickname where needed.
>
> Flo.
>
>
> On 06/23/2016 04:54 AM, barrykfl at gmail.com
> <mailto:barrykfl at gmail.com> wrote:
>
> Hi :
>
> I renew External CA cert below ...seem server-cert ok.
>
> But ca CERT FAIL..
> I ALREADY PASTE ON
> /etc/httpd/alias
> /etc/dirsrv/slapd-PKI-IPA
> /etc/dirsv/slapd-ABX-com
> /var/lib/pki-ca/alias 's CA conf
>
> any idea?
>
> ABX-COM...[23/Jun/2016:10:42:32 +0800] - SSL alert:
> CERT_VerifyCertificateNow: verify certificate failed for cert
> Server-Cert of family cn=RSA,cn=encryption,cn=config (Netscape
> Portable
> Runtime error -8179 - Peer's Certificate issuer is not recognized.)
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
More information about the Freeipa-users
mailing list