[Freeipa-users] OCSP and CRL in certs for java firefox plugin
Rob Crittenden
rcritten at redhat.com
Sat May 28 02:19:05 UTC 2016
Prasun Gera wrote:
> I've identified the problem. The uris seem to be incorrect. This looks
> like some substitution gone wrong. Instead of using the actual ipa
> server's address, it points to a generic placeholder type text
> (ipa-ca.domain.com <http://ipa-ca.domain.com>). Relevant part of the
> certificate:
A generic name is used in case the server that issued the cert goes
away. Create an entry in DNS for this generic name and things should
work as expected.
rob
>
> Authority Information Access:
> OCSP - URI:*http://ipa-ca.domain.com/ca/ocsp*
>
> X509v3 Key Usage: critical
> Digital Signature, Non Repudiation, Key Encipherment,
> Data Encipherment
> X509v3 Extended Key Usage:
> TLS Web Server Authentication, TLS Web Client
> Authentication
> X509v3 CRL Distribution Points:
>
> Full Name:
> URI:*http://ipa-ca.domain.com/ipa/crl/MasterCRL.bin*
>
>
> This is on RHEL 7.2, idm 4.2 btw
>
> On Fri, May 27, 2016 at 7:22 PM, Prasun Gera <prasun.gera at gmail.com
> <mailto:prasun.gera at gmail.com>> wrote:
>
> It looks like that issue was fixed and the OCSP and CRL uris in the
> certs are now http. So I'm not sure why java is complaining.
>
> On Fri, May 27, 2016 at 7:03 PM, Prasun Gera <prasun.gera at gmail.com
> <mailto:prasun.gera at gmail.com>> wrote:
>
> I've set up a couple of dell idrac card's ssl certs signed by
> ipa CA. I've also added the ipa CA to java's trusted CAs.
> However, when you try to launch the idrac java console, it will
> still show an error that the site is untrusted. Upon clicking on
> "more information", the message says that although the cert is
> signed by the CA, it cannot verify the revocation status. I
> found this page
> http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs ,
> which explains potential problems with this since the main ipa
> server itself is also using an ssl cert signed by the ipa CA. So
> the client cannot verify the revocation if it can't reach the
> CA. Is there any solution to this ? Anyone tried this with idrac
> cards ?
>
>
>
>
>
More information about the Freeipa-users
mailing list