[Freeipa-users] OCSP and CRL in certs for java firefox plugin

Prasun Gera prasun.gera at gmail.com
Fri May 27 23:26:10 UTC 2016 

I've identified the problem. The uris seem to be incorrect. This looks like
some substitution gone wrong. Instead of using the actual ipa server's
address, it points to a generic placeholder type text (ipa-ca.domain.com).
Relevant part of the certificate:

Authority Information Access:
                OCSP - URI:*http://ipa-ca.domain.com/ca/ocsp
<http://ipa-ca.domain.com/ca/ocsp>*

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:*http://ipa-ca.domain.com/ipa/crl/MasterCRL.bin
<http://ipa-ca.domain.com/ipa/crl/MasterCRL.bin>*


This is on RHEL 7.2, idm 4.2 btw

On Fri, May 27, 2016 at 7:22 PM, Prasun Gera <prasun.gera at gmail.com> wrote:

> It looks like that issue was fixed and the OCSP and CRL uris in the certs
> are now http. So I'm not sure why java is complaining.
>
> On Fri, May 27, 2016 at 7:03 PM, Prasun Gera <prasun.gera at gmail.com>
> wrote:
>
>> I've set up a couple of dell idrac card's ssl certs signed by ipa CA.
>> I've also added the ipa CA to java's trusted CAs. However, when you try to
>> launch the idrac java console, it will still show an error that the site is
>> untrusted. Upon clicking on "more information", the message says that
>> although the cert is signed by the CA, it cannot verify the revocation
>> status. I found this page
>> http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs , which
>> explains potential problems with this since the main ipa server itself is
>> also using an ssl cert signed by the ipa CA. So the client cannot verify
>> the revocation if it can't reach the CA. Is there any solution to this ?
>> Anyone tried this with idrac cards ?
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160527/12423cc5/attachment.htm>

More information about the Freeipa-users mailing list