<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Hi there, is it possible to have a cert (say from VeriSign) for a IPA host and use it for httpd (Web GUI), without breaking anything else? I've acquired one and added it to nssdb (<span>/etc/httpd/alias</span>). </p>
<p><br>
</p>
<p></p>
<div># certutil -L -d /etc/httpd/alias<br>
Certificate Nickname                                         Trust Attributes<br>
                                                             SSL,S/MIME,JAR/XPI<br>
ipaCert                                                      u,u,u<br>
Server-Cert                                                  u,u,u<br>
COMP.COM IPA CA                                         CT,C,C<br>
Signing-Cert                                                 u,u,u<br>
CA-LDAP01-CHAINED                                            u,u,u<br>
Comp SSL CA - G2 - VeriSign, Inc.                          ,,<br>
</div>
<p></p>
<p></p>
<div><br>
It's now used in /<span>etc/httpd/conf.d/</span>nss.conf and the cert looks good via a browser. But it's breaking something, since I see this:
<br>
<br>
# ipa user-show admin<br>
ipa: ERROR: cert validation failed for "CN=ca-ldap01.comp.com,OU=Corp,O=Corporation,L=City,ST=California,C=US" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.)<br>
ipa: ERROR: cannot connect to 'https://ca-ldap01.comp.com/ipa/json': (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.</div>
<p></p>
<p><br>
</p>
<p>Adding this cert to <span>/etc/dirsrv/slapd-CORP-COM/</span> nssdb didn't resolve the issue. Thanks for any advice.</p>
<p>Zarko<br>
</p>
</div>
</body>
</html>