[Freeipa-users] bad certificate used to sign freeipa
Florence Blanc-Renaud
flo at redhat.com
Fri Mar 10 13:06:19 UTC 2017
Hi,
Which 'FreeIPA certificate' are you referring to? If you installed
FreeIPA CA-less, then the root certificate was used to sign LDAP and
HTTPd certificates and you can follow this page [1] to use a different
CA and replace LDAP and HTTPd certs.
If you installed IPA with an integrated CA, then the root certificate
was used to sign IPA CA certificate, and the other certificates used by
FreeIPA were signed by IPA CA. In this case you would have to replace
IPA CA with [2] and then renew LDAP and HTTPd certificates [3].
Flo
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/third-party-certs-http-ldap.html
[2]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext
[3]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/replace-HTTP-LDAP-cert.html
On 03/10/2017 01:16 PM, Harald Dunkel wrote:
> Hi folks,
>
> I stumbled over this problem:
>
> http://openbsd-archive.7691.n7.nabble.com/Certificate-Error-quot-format-error-in-certificate-s-notAfter-field-quot-td304262.html
>
> The details don't really matter. The important point is that
> the root certificate used to sign freeipa's certificate
> appears to be unacceptable on openBSD and maybe others.
>
> What would you suggest? Is there a guideline to migrate
> freeipa to a new certificate authority?
>
>
> Every helpful comment is highly appreciated
> Harri
>
More information about the Freeipa-users
mailing list