[Freeipa-users] OCSP and CRL in certs for java firefox plugin

Rob Crittenden rcritten at redhat.com
Sat May 28 02:19:05 UTC 2016 

Prasun Gera wrote:
> I've identified the problem. The uris seem to be incorrect. This looks
> like some substitution gone wrong. Instead of using the actual ipa
> server's address, it points to a generic placeholder type text
> (ipa-ca.domain.com <http://ipa-ca.domain.com>). Relevant part of the
> certificate:

A generic name is used in case the server that issued the cert goes 
away. Create an entry in DNS for this generic name and things should 
work as expected.

rob

>
> Authority Information Access:
>                  OCSP - URI:*http://ipa-ca.domain.com/ca/ocsp*
>
>              X509v3 Key Usage: critical
>                  Digital Signature, Non Repudiation, Key Encipherment,
> Data Encipherment
>              X509v3 Extended Key Usage:
>                  TLS Web Server Authentication, TLS Web Client
> Authentication
>              X509v3 CRL Distribution Points:
>
>                  Full Name:
>                    URI:*http://ipa-ca.domain.com/ipa/crl/MasterCRL.bin*
>
>
> This is on RHEL 7.2, idm 4.2 btw
>
> On Fri, May 27, 2016 at 7:22 PM, Prasun Gera <prasun.gera at gmail.com
> <mailto:prasun.gera at gmail.com>> wrote:
>
>     It looks like that issue was fixed and the OCSP and CRL uris in the
>     certs are now http. So I'm not sure why java is complaining.
>
>     On Fri, May 27, 2016 at 7:03 PM, Prasun Gera <prasun.gera at gmail.com
>     <mailto:prasun.gera at gmail.com>> wrote:
>
>         I've set up a couple of dell idrac card's ssl certs signed by
>         ipa CA. I've also added the ipa CA to java's trusted CAs.
>         However, when you try to launch the idrac java console, it will
>         still show an error that the site is untrusted. Upon clicking on
>         "more information", the message says that although the cert is
>         signed by the CA, it cannot verify the revocation status. I
>         found this page
>         http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs ,
>         which explains potential problems with this since the main ipa
>         server itself is also using an ssl cert signed by the ipa CA. So
>         the client cannot verify the revocation if it can't reach the
>         CA. Is there any solution to this ? Anyone tried this with idrac
>         cards ?
>
>
>
>
>

More information about the Freeipa-users mailing list