[Freeipa-users] Cannot install 3rd party certificate

Mon Feb 20 14:20:29 UTC 2017

Matt . wrote:
> Hi,
> 
> The install seems to be OK this way, but I'm still confused about the
> duplicated and the RootCA.

What does this show?

#3 certutil -L -d /etc/httpd/alias -n COMODORSAAddTrustCA

I'm guessing it will show two certs with different serial numbers, which
means this is a-ok.

rob

> 
> 2017-02-18 14:47 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>> Hi Florance,
>>
>>
>> I'm actually stil investigating this as the following occurs.
>>
>> I have removed all unneeded certs and installed the 2 intermediates
>> for Comodo and did an ipa-certupdate which results in this:
>>
>> #certutil -L -d /etc/httpd/alias
>>
>> Certificate Nickname                                         Trust Attributes
>>                                                              SSL,S/MIME,JAR/XPI
>>
>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
>> AddTrustExternalCARoot                                       C,,
>> ipaCert                                                      u,u,u
>> COMODORSAAddTrustCA                                          C,,
>> COMODORSAAddTrustCA                                          C,,
>> IPA.MYDOMAIN.TLD IPA CA                         CT,C,C
>>
>>
>> I'm curious why the COMODORSAAddTrustCA is there twice, if I remove
>> both and start over they are duplicated again. Also the
>> AddTrustExternalCARoot comes back again even when this was not
>> installed anymore as it's not needed.
>>
>> I'm able to install my cert after the update:
>>
>>
>> #certutil -L -d /etc/httpd/alias
>>
>> Certificate Nickname                                         Trust Attributes
>>                                                              SSL,S/MIME,JAR/XPI
>>
>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
>> AddTrustExternalCARoot                                       C,,
>> ipaCert                                                      u,u,u
>> COMODORSAAddTrustCA                                          C,,
>> COMODORSAAddTrustCA                                          C,,
>> IPA.MYDOMAIN.TLD IPA CA                         CT,C,C
>> CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated u,u,u
>>
>>
>>
>> Now this works great for the WebGui which uses the right Certificate
>> for the ssl connection but ldaps on port 636 seems to use:
>>
>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>> Limited,L=Salford,ST=Greater Manchester,C=GB
>>
>>
>> Do you have any clue about this ?
>>
>> I'm also curious about what IPA syncs between all hosts, it seems to
>> be only the Intermediate certs and not the install domains
>> certificate, this needs to be installed manually after a local
>> #ipa-certupdate on each node ?
>>
>> I hope you can clearify this out.
>>
>>
>> Thanks,
>>
>> Matt
>>
>>
>> 2017-02-17 0:15 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>> Hi Flo,
>>>
>>> Sure I can, I will look through the steps closely tomorrow and will
>>> create some lineup here.
>>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>> On 02/16/2017 09:55 PM, Matt . wrote:
>>>>>
>>>>> Hi Flo! (if I may call you like that, saves some characters in typing
>>>>> but with this extra line it doesn't anymore :))
>>>>>
>>>>> This works perfectly, thank you very much.
>>>>>
>>>> Hi Matt,
>>>>
>>>> glad I could help. What did you do differently that could explain the
>>>> failure, though? Maybe the cert installation needs some hardening.
>>>>
>>>> Flo.
>>>>
>>>>> No questions further actually :)
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Matt
>>>>>
>>>>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>>