On 11/30/2017 08:24 AM, Andrew Radygin via FreeIPA-users wrote:
I see, mechanism is clear for me.

I took my CA chain from
  
https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/979/108/domain-validation-sha-2

And my chain is following:

main cert
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO 
RSA Domain Validation Secure Server CA
Subject: OU=Domain Control Validated, OU=EssentialSSL Wildcard, 
CN=*.mydomain.com

inter1
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust 
External CA Root
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO 
RSA Certification Authority

inter2
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO 
RSA Certification Authority
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO 
RSA Domain Validation Secure Server CA

root
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust 
External CA Root
Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust 
External CA Root

Is it seems correct? According sources from google - it's not.
And what order to import CA's via ipa-cacert-manage?
Am I should import them just one by one or from one file in correct order?
https://www.ssllabs.com/ssltest/analyze.html tells me that chain is full and 
order is correct...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi,

the ca certs need to be added from the root to the one that issued the server cert:
1/ ipa-cacert-manage install root.crt + ipa-certupdate
2/ ipa-cacert-manage install inter1.crt + ipa-certupdate
3/ ipa-cacert-manage install inter2.crt + ipa-certupdate
4/ ipa-server-certinstall -w main.crt + restart http service

After step3, you can check that all the CA certs have been added to /etc/httpd/alias with
$ certutil -L -d /etc/httdp/alias

HTH,
Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to