[Freeipa-users] ipa-server-install & certificates

Leo Baltus Leo.Baltus at npo.nl
Tue Nov 15 15:39:29 UTC 2016 

Op 15/11/2016 om 15:57:59 +0100, schreef Tomas Krizek:
> On 11/15/2016 01:47 PM, Leo Baltus wrote:
> > Hi,
> > 
> > (first time user, firts post on this ML)
> > 
> > I am setting up ipa-server on a fresh CentOS-7 system.
> > 
> > After running:
> > 
> > /usr/sbin/ipa-server-install -U --realm XXXYYYYY.NL --domain xxxyyyyy.nl \
> >     --admin-password foobarxy --ds-password foobarxy \
> >     --idstart 5000 \
> >     --no-ntp
> > 
> > Connecting my Chrome browser to this machine results in a 'Your
> > connection is not private' errorpage. And no option to go the
> > insecure way.
> > 
> > Now I have my own CA, created a certifcate keypair with it and I would
> > like to import this keypair together with my CA to add trust.
> > 
> > Following http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
> > 
> > ipa-cacert-manage -p foobarxy -n NICKNAME -t C,, install myca.crt
> > ipa-certupdate
> > ipa-server-certinstall -w -d mysite.key mysite.crt
> > 
> > after running ipa-certupdate again I get:
> > 
> > trying https://lab-k1.xxxyyyyy.nl/ipa/json
> > Forwarding 'ca_is_enabled' to json server 'https://lab-k1.xxxyyyyy.nl/ipa/json'
> > cert validation failed for "CN=Object Signing Cert,O=XXXYYYYY.NL" ((SEC_ERROR_INADEQUATE_KEY_USAGE) Certificate key usage inadequate for attempted operation.)
> > 
> > On other attempts I get a timeout on ipa-certupdate:
> > Resubmitting certmonger request '20161115122715' timed out, please check the request manually
> > 
> > Any idea what is going on? Am I using the right docs?
> > 
> > versions:
> > ipa-server-4.2.0-15.0.1.el7.centos.19.x86_64
> > krb5-libs-1.13.2-12.el7_2.x86_64
> > krb5-pkinit-1.13.2-12.el7_2.x86_64
> > krb5-server-1.13.2-12.el7_2.x86_64
> > krb5-workstation-1.13.2-12.el7_2.x86_64
> > libsss_nss_idmap-1.13.0-40.el7_2.12.x86_64
> > mod_nss-1.0.11-6.el7.x86_64
> > nss-3.21.0-9.el7_2.x86_64
> > nss-softokn-3.16.2.3-14.2.el7_2.x86_64
> > nss-softokn-freebl-3.16.2.3-14.2.el7_2.x86_64
> > nss-sysinit-3.21.0-9.el7_2.x86_64
> > nss-tools-3.21.0-9.el7_2.x86_64
> > nss-util-3.21.0-2.2.el7_2.x86_64
> > nss_compat_ossl-0.9.6-8.el7.x86_64
> > openssl-1.0.1e-51.el7_2.7.x86_64
> > openssl-libs-1.0.1e-51.el7_2.7.x86_64
> > pam_krb5-2.4.8-4.el7.x86_64
> > pki-base-10.2.5-10.el7_2.noarch
> > pki-ca-10.2.5-10.el7_2.noarch
> > pki-kra-10.2.5-10.el7_2.noarch
> > pki-server-10.2.5-10.el7_2.noarch
> > pki-tools-10.2.5-10.el7_2.x86_64
> > python-nss-0.16.0-3.el7.x86_64
> > sssd-krb5-1.13.0-40.el7_2.12.x86_64
> > sssd-krb5-common-1.13.0-40.el7_2.12.x86_64
> > 
> Hi,
> 
> can you check if your certificate can be used for an SSL server? You can use
> the following command
> 
> openssl x509 -purpose -in mysite.crt
> 

Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No


-- 
Leo Baltus, internetbeheerder
NPO ICT Internet Services
Bart de Graaffweg 2, 1217 ZL Hilversum
servicedesk at omroep.nl, 035-6773555

More information about the Freeipa-users mailing list