On 06/22/2016 09:29 PM, Florence Blanc-Renaud wrote:

This patch fixes ipa-server-certinstall when used with 3rd-party certs.
The scenario is the following:
- install the server with an embedded CA
- use ipa-cacert-manage to install a 3rd party CA
- use ipa-certupdate to put the 3rd party CA cert in the relevant NSS databases (/etc/ipa/nssdb /etc/httpd/alias /etc/pki/pki-tomcat/alias and /etc/dirsrv/slapd-XXX) - use ipa-server-certinstall to replace the Directory/Apache server certificates with a cert signed by the 3rd party CA.

Note that I had to run ipa-certupdate after putting selinux mode to permissive (otherwise the cert does not get into /etc/pki/pki-tomcat/alias) and a bz has been opened against selinux-policy to solve this issue.



The patch works as expected with the selinux requirement you mentioned. I will just add Honza for code sanity check. Therefore conditional ACK if the code can take no further improvements.


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to