[Freeipa-users] Cannot install 3rd party certificate
Matt .
yamakasi.014 at gmail.com
Mon Feb 20 15:09:37 UTC 2017
Hi Rob,
Yes it does, I understood that there was some reason the duplicate
might exist, but I wonder more why does the RootCA show up when I
removed it and comes back after adding the two intermediates ?
Thanks
Matt
2017-02-20 15:20 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> Matt . wrote:
>> Hi,
>>
>> The install seems to be OK this way, but I'm still confused about the
>> duplicated and the RootCA.
>
> What does this show?
>
> #3 certutil -L -d /etc/httpd/alias -n COMODORSAAddTrustCA
>
> I'm guessing it will show two certs with different serial numbers, which
> means this is a-ok.
>
> rob
>
>>
>> 2017-02-18 14:47 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>> Hi Florance,
>>>
>>>
>>> I'm actually stil investigating this as the following occurs.
>>>
>>> I have removed all unneeded certs and installed the 2 intermediates
>>> for Comodo and did an ipa-certupdate which results in this:
>>>
>>> #certutil -L -d /etc/httpd/alias
>>>
>>> Certificate Nickname Trust Attributes
>>> SSL,S/MIME,JAR/XPI
>>>
>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
>>> AddTrustExternalCARoot C,,
>>> ipaCert u,u,u
>>> COMODORSAAddTrustCA C,,
>>> COMODORSAAddTrustCA C,,
>>> IPA.MYDOMAIN.TLD IPA CA CT,C,C
>>>
>>>
>>> I'm curious why the COMODORSAAddTrustCA is there twice, if I remove
>>> both and start over they are duplicated again. Also the
>>> AddTrustExternalCARoot comes back again even when this was not
>>> installed anymore as it's not needed.
>>>
>>> I'm able to install my cert after the update:
>>>
>>>
>>> #certutil -L -d /etc/httpd/alias
>>>
>>> Certificate Nickname Trust Attributes
>>> SSL,S/MIME,JAR/XPI
>>>
>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
>>> AddTrustExternalCARoot C,,
>>> ipaCert u,u,u
>>> COMODORSAAddTrustCA C,,
>>> COMODORSAAddTrustCA C,,
>>> IPA.MYDOMAIN.TLD IPA CA CT,C,C
>>> CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated u,u,u
>>>
>>>
>>>
>>> Now this works great for the WebGui which uses the right Certificate
>>> for the ssl connection but ldaps on port 636 seems to use:
>>>
>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>> Limited,L=Salford,ST=Greater Manchester,C=GB
>>>
>>>
>>> Do you have any clue about this ?
>>>
>>> I'm also curious about what IPA syncs between all hosts, it seems to
>>> be only the Intermediate certs and not the install domains
>>> certificate, this needs to be installed manually after a local
>>> #ipa-certupdate on each node ?
>>>
>>> I hope you can clearify this out.
>>>
>>>
>>> Thanks,
>>>
>>> Matt
>>>
>>>
>>> 2017-02-17 0:15 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>> Hi Flo,
>>>>
>>>> Sure I can, I will look through the steps closely tomorrow and will
>>>> create some lineup here.
>>>>
>>>> Cheers,
>>>>
>>>> Matt
>>>>
>>>> 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>> On 02/16/2017 09:55 PM, Matt . wrote:
>>>>>>
>>>>>> Hi Flo! (if I may call you like that, saves some characters in typing
>>>>>> but with this extra line it doesn't anymore :))
>>>>>>
>>>>>> This works perfectly, thank you very much.
>>>>>>
>>>>> Hi Matt,
>>>>>
>>>>> glad I could help. What did you do differently that could explain the
>>>>> failure, though? Maybe the cert installation needs some hardening.
>>>>>
>>>>> Flo.
>>>>>
>>>>>> No questions further actually :)
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>>>
>
More information about the Freeipa-users
mailing list