On 21.6.2016 11:03, Florence Blanc-Renaud wrote:
I am working on the following issues and I have questions re. 3rd party
- https://fedorahosted.org/freeipa/ticket/4785 ipa-server-certinstall
tracks the 3rd party cert it installs with certmonger
- https://fedorahosted.org/freeipa/ticket/4786 ipa-server-certinstall
does not accept certs signed by 3rd party CAs
First I would like to validate that my scenario is the correct one:
FreeIPA installed with an embedded CA. The customer now wants to use a
different certificate for httpd and dirsrv, signed by a 3rd party CA.
The steps to achieve this are:
1. run "ipa-cacert-manage install -t C,, <CAcert file>" to install the
3rd party CA certificate. This step puts the CA certificate in the LDAP
2. run "ipa-certupdate" to retrieve the CA cert from LDAP and put it
into /etc/ipa/nssdb /etc/dirsrv/sldapd-xxx and /etc/httpd/alias
Note that this command does not put the CA cert into
/etc/pki/pki-tomcat/alias, is this expected? I had to perform this
manually (otherwise tomcat won't restart later).
ipa-certupdate is supposed to update /etc/pki/pki-tomcat/alias.
Here is the relevant code:
3. run "ipa-server-certinstall -d -w key.pem cert.pem"
This commands should stop tracking the previous cert, install the new
one in /etc/dirsrv/slapd-xx (if -d is used) and /etc/httpd/alias (if -w
is used), and track the new one only if signed by IPA CA. It also
updates the attribute nssslpersonalityssl of the entry
cn=rsa,cn=encryption,cn=config to contain the new cert nickname (for the
dirsrv) and sets NSSNickname in /etc/httpd/conf.d/nss.conf (for httpd).
After those steps, I noticed that
- the entries
are not updated: their attribute userCertificate still contains the old
Did I miss a manual step? Is it an issue?
AFAIK ipa-server-certinstall never updated these entries. It's probably
not an issue, but it would be nice to update them, for consistency.
- the new certificate nickname is not "Server-Cert" any more but rather
the full subject (even if --cert-name was supplied to
Can this cause issues?
Actually, full subject name is used only if the originating PKCS#12
files does not have nickname for the server certificate.
The --cert-name is used to select a single server certificate from the
PKCS#12 file in case there are multiple, it is not supposed to change
It could cause an issue if someone assumed that the nickname is always
"Server-Cert", but I don't think that there currently is code that does.
Thanks for any input,
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code