[Freeipa-users] Install IPA Servers with third-party certificate(external CA)
beeth beeth
beeth2006 at gmail.com
Thu Sep 29 09:29:48 UTC 2016
Also, I once followed the instruction about "Using 3rd part certificates
for HTTP/LDAP" at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP,
for my environment: IPA 4.2 on RHEL7
# ipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install ca.crt
# ipa-certupdate
# ipa-server-certinstall -w -d mysite.key mysite.crt
# systemctl restart httpd.service
# systemctl restart dirsrv at MY-REALM.service
It failed at the step to restart httpd.service.
Thanks!
On Thu, Sep 29, 2016 at 5:03 AM, beeth beeth <beeth2006 at gmail.com> wrote:
> I am trying to set up IPA servers with Verisign certificate, so that the
> Admin Web console can use public signed certificate to meet company's
> security requirement. But when I try to follow Red Hat's instructions at
> https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_
> Guide/install-server.html#install-server-external-ca,
> 2.3.5. Installing a Server with an External CA as the Root CA,
> at the first step it says to generate CSR by adding the --external-ca
> option to the ipa-server-install utility, which does generate a CRS at
> /root/ipa.csr. However, the ipa-server-install command in fact doesn't ask
> for Distinguished Name (DN) or the organization info(like country, state,
> etc.), which are required in the CSR. Without a valid CSR file, I can't
> request for new Verisign certs. Did I miss something?
>
> Originally I once tried to change the default certificate for Apache(the
> Web Admin console) ONLY to the Verisign one, by adding the certificates to
> the /etc/httpd/alias database with the command:
> # ipa-server-certinstall -w --http_pin=test verisign.pk12
> And updated the nss.conf for httpd, so that the new Nickname is used to
> point to the Verisign certs. That worked well for the website. However, the
> IPA client installation failed after that for the "ipa-client-install":
>
> ERROR Joining realm failed: libcurl failed to execute the HTTP POST
> transaction, explaining: Peer's certificate issuer has been marked as not
> trusted by the user.
>
> Even I tried to also update the certificate for the Directory
> service(ipa-server-certinstall -d ... ), the client installation still
> failed. I believe the new Verisign cert messed up the communication of the
> IPA components. Then I am thinking to install the IPA server from scratch
> with the Verisign cert, but then I hit the CSR problem described above.
>
> Please advise. Thanks!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160929/8d1e331e/attachment.htm>
More information about the Freeipa-users
mailing list