On 21.6.2016 11:03, Florence Blanc-Renaud wrote:

I am working on the following issues and I have questions re. 3rd party
- https://fedorahosted.org/freeipa/ticket/4785 ipa-server-certinstall
tracks the 3rd party cert it installs with certmonger
- https://fedorahosted.org/freeipa/ticket/4786 ipa-server-certinstall
does not accept certs signed by 3rd party CAs

First I would like to validate that my scenario is the correct one:
FreeIPA installed with an embedded CA. The customer now wants to use a
different certificate for httpd and dirsrv, signed by a 3rd party CA.
The steps to achieve this are:
1. run "ipa-cacert-manage install -t C,, <CAcert file>" to install the
3rd party CA certificate. This step puts the CA certificate in the LDAP
entry cn=certificates,cn=ipa,cn=etc,dc=...


2. run "ipa-certupdate" to retrieve the CA cert from LDAP and put it
into /etc/ipa/nssdb /etc/dirsrv/sldapd-xxx and /etc/httpd/alias
Note that this command does not put the CA cert into
/etc/pki/pki-tomcat/alias, is this expected? I had to perform this
manually (otherwise tomcat won't restart later).

ipa-certupdate is supposed to update /etc/pki/pki-tomcat/alias.

Here is the relevant code: <https://git.fedorahosted.org/cgit/freeipa.git/tree/install/restart_scripts/renew_ca_cert#n156>

3. run "ipa-server-certinstall -d -w key.pem cert.pem"
This commands should stop tracking the previous cert, install the new
one in /etc/dirsrv/slapd-xx (if -d is used) and /etc/httpd/alias (if -w
is used), and track the new one only if signed by IPA CA. It also
updates the attribute nssslpersonalityssl of the entry
cn=rsa,cn=encryption,cn=config to contain the new cert nickname (for the
dirsrv) and sets NSSNickname in /etc/httpd/conf.d/nss.conf (for httpd).


After those steps, I noticed that
- the entries
are not updated: their attribute userCertificate still contains the old
Did I miss a manual step? Is it an issue?

AFAIK ipa-server-certinstall never updated these entries. It's probably not an issue, but it would be nice to update them, for consistency.

- the new certificate nickname is not "Server-Cert" any more but rather
the full subject (even if --cert-name was supplied to
Can this cause issues?

Actually, full subject name is used only if the originating PKCS#12 files does not have nickname for the server certificate.

The --cert-name is used to select a single server certificate from the PKCS#12 file in case there are multiple, it is not supposed to change the nickname.

It could cause an issue if someone assumed that the nickname is always "Server-Cert", but I don't think that there currently is code that does.

Thanks for any input,


Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to