[Freeipa-users] Cannot install 3rd party certificate

Florence Blanc-Renaud flo at redhat.com
Tue Feb 21 08:03:53 UTC 2017 

On 02/20/2017 04:09 PM, Matt . wrote:
> Hi Rob,
>
> Yes it does, I understood that there was some reason the duplicate
> might exist, but I wonder more why does the RootCA show up when I
> removed it and comes back after adding the two intermediates ?
>
Hi Matt,

when ipa-cacert-manage install is run, it adds an LDAP entry for the new 
CA certificate below cn=certificates,cn=ipa,cn=etc,$BASEDN.
When ipa-certupdate is run, it adds all the certificates found in 
cn=certificates,cn=ipa,cn=etc,$BASEDN to /etc/httpd/alias.
So even if you remove one certificate from /etc/httpd/alias, the next 
ipa-certupdate command will re-add this CA cert if it is still present 
in LDAP.

Hope this clarifies,
Flo.


> Thanks
>
> Matt
>
>
> 2017-02-20 15:20 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>> Matt . wrote:
>>> Hi,
>>>
>>> The install seems to be OK this way, but I'm still confused about the
>>> duplicated and the RootCA.
>>
>> What does this show?
>>
>> #3 certutil -L -d /etc/httpd/alias -n COMODORSAAddTrustCA
>>
>> I'm guessing it will show two certs with different serial numbers, which
>> means this is a-ok.
>>
>> rob
>>
>>>
>>> 2017-02-18 14:47 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>> Hi Florance,
>>>>
>>>>
>>>> I'm actually stil investigating this as the following occurs.
>>>>
>>>> I have removed all unneeded certs and installed the 2 intermediates
>>>> for Comodo and did an ipa-certupdate which results in this:
>>>>
>>>> #certutil -L -d /etc/httpd/alias
>>>>
>>>> Certificate Nickname                                         Trust Attributes
>>>>                                                              SSL,S/MIME,JAR/XPI
>>>>
>>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>>> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
>>>> AddTrustExternalCARoot                                       C,,
>>>> ipaCert                                                      u,u,u
>>>> COMODORSAAddTrustCA                                          C,,
>>>> COMODORSAAddTrustCA                                          C,,
>>>> IPA.MYDOMAIN.TLD IPA CA                         CT,C,C
>>>>
>>>>
>>>> I'm curious why the COMODORSAAddTrustCA is there twice, if I remove
>>>> both and start over they are duplicated again. Also the
>>>> AddTrustExternalCARoot comes back again even when this was not
>>>> installed anymore as it's not needed.
>>>>
>>>> I'm able to install my cert after the update:
>>>>
>>>>
>>>> #certutil -L -d /etc/httpd/alias
>>>>
>>>> Certificate Nickname                                         Trust Attributes
>>>>                                                              SSL,S/MIME,JAR/XPI
>>>>
>>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>>> Limited,L=Salford,ST=Greater Manchester,C=GB C,,
>>>> AddTrustExternalCARoot                                       C,,
>>>> ipaCert                                                      u,u,u
>>>> COMODORSAAddTrustCA                                          C,,
>>>> COMODORSAAddTrustCA                                          C,,
>>>> IPA.MYDOMAIN.TLD IPA CA                         CT,C,C
>>>> CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated u,u,u
>>>>
>>>>
>>>>
>>>> Now this works great for the WebGui which uses the right Certificate
>>>> for the ssl connection but ldaps on port 636 seems to use:
>>>>
>>>> CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
>>>> Limited,L=Salford,ST=Greater Manchester,C=GB
>>>>
>>>>
>>>> Do you have any clue about this ?
>>>>
>>>> I'm also curious about what IPA syncs between all hosts, it seems to
>>>> be only the Intermediate certs and not the install domains
>>>> certificate, this needs to be installed manually after a local
>>>> #ipa-certupdate on each node ?
>>>>
>>>> I hope you can clearify this out.
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Matt
>>>>
>>>>
>>>> 2017-02-17 0:15 GMT+01:00 Matt . <yamakasi.014 at gmail.com>:
>>>>> Hi Flo,
>>>>>
>>>>> Sure I can, I will look through the steps closely tomorrow and will
>>>>> create some lineup here.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Matt
>>>>>
>>>>> 2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>> On 02/16/2017 09:55 PM, Matt . wrote:
>>>>>>>
>>>>>>> Hi Flo! (if I may call you like that, saves some characters in typing
>>>>>>> but with this extra line it doesn't anymore :))
>>>>>>>
>>>>>>> This works perfectly, thank you very much.
>>>>>>>
>>>>>> Hi Matt,
>>>>>>
>>>>>> glad I could help. What did you do differently that could explain the
>>>>>> failure, though? Maybe the cert installation needs some hardening.
>>>>>>
>>>>>> Flo.
>>>>>>
>>>>>>> No questions further actually :)
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Matt
>>>>>>>
>>>>>>> 2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <flo at redhat.com>:
>>>>>>>>
>>

More information about the Freeipa-users mailing list