[Freeipa-users] ipa-server-install & certificates

Tomas Krizek tkrizek at redhat.com
Tue Nov 15 14:57:59 UTC 2016 

On 11/15/2016 01:47 PM, Leo Baltus wrote:
> Hi,
>
> (first time user, firts post on this ML)
>
> I am setting up ipa-server on a fresh CentOS-7 system.
>
> After running:
>
> /usr/sbin/ipa-server-install -U --realm XXXYYYYY.NL --domain xxxyyyyy.nl \
>     --admin-password foobarxy --ds-password foobarxy \
>     --idstart 5000 \
>     --no-ntp
>
> Connecting my Chrome browser to this machine results in a 'Your
> connection is not private' errorpage. And no option to go the
> insecure way.
>
> Now I have my own CA, created a certifcate keypair with it and I would
> like to import this keypair together with my CA to add trust.
>
> Following http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>
> ipa-cacert-manage -p foobarxy -n NICKNAME -t C,, install myca.crt
> ipa-certupdate
> ipa-server-certinstall -w -d mysite.key mysite.crt
>
> after running ipa-certupdate again I get:
>
> trying https://lab-k1.xxxyyyyy.nl/ipa/json
> Forwarding 'ca_is_enabled' to json server 'https://lab-k1.xxxyyyyy.nl/ipa/json'
> cert validation failed for "CN=Object Signing Cert,O=XXXYYYYY.NL" ((SEC_ERROR_INADEQUATE_KEY_USAGE) Certificate key usage inadequate for attempted operation.)
>
> On other attempts I get a timeout on ipa-certupdate:
> Resubmitting certmonger request '20161115122715' timed out, please check the request manually
>
> Any idea what is going on? Am I using the right docs?
>
> versions:
> ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
> krb5-libs-1.13.2-12.el7_2.x86_64
> krb5-pkinit-1.13.2-12.el7_2.x86_64
> krb5-server-1.13.2-12.el7_2.x86_64
> krb5-workstation-1.13.2-12.el7_2.x86_64
> libsss_nss_idmap-1.13.0-40.el7_2.12.x86_64
> mod_nss-1.0.11-6.el7.x86_64
> nss-3.21.0-9.el7_2.x86_64
> nss-softokn-3.16.2.3-14.2.el7_2.x86_64
> nss-softokn-freebl-3.16.2.3-14.2.el7_2.x86_64
> nss-sysinit-3.21.0-9.el7_2.x86_64
> nss-tools-3.21.0-9.el7_2.x86_64
> nss-util-3.21.0-2.2.el7_2.x86_64
> nss_compat_ossl-0.9.6-8.el7.x86_64
> openssl-1.0.1e-51.el7_2.7.x86_64
> openssl-libs-1.0.1e-51.el7_2.7.x86_64
> pam_krb5-2.4.8-4.el7.x86_64
> pki-base-10.2.5-10.el7_2.noarch
> pki-ca-10.2.5-10.el7_2.noarch
> pki-kra-10.2.5-10.el7_2.noarch
> pki-server-10.2.5-10.el7_2.noarch
> pki-tools-10.2.5-10.el7_2.x86_64
> python-nss-0.16.0-3.el7.x86_64
> sssd-krb5-1.13.0-40.el7_2.12.x86_64
> sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
>
Hi,

can you check if your certificate can be used for an SSL server? You can 
use the following command

openssl x509 -purpose -in mysite.crt

-- 
Tomas Krizek

More information about the Freeipa-users mailing list