On 11/30/2017 10:30 AM, Andrew Radygin via FreeIPA-users wrote:
On 11/30/2017 08:24 AM, Andrew Radygin via FreeIPA-users wrote:
Hi,

the ca certs need to be added from the root to the one that issued the
server cert:
1/ ipa-cacert-manage install root.crt + ipa-certupdate
2/ ipa-cacert-manage install inter1.crt + ipa-certupdate
3/ ipa-cacert-manage install inter2.crt + ipa-certupdate
4/ ipa-server-certinstall -w main.crt + restart http service

After step3, you can check that all the CA certs have been added to
/etc/httpd/alias with
$ certutil -L -d /etc/httdp/alias

HTH,
Flo

Florence, I'm already added certs, but probably with wrong order, and now if 
I'm trying to add the same but in order you pointed, they aren't adding, even 
with another nicknames (with out any error, just don't showing in certutil -L).

Hi,

no need to start over with a different nickname if the certificates are already in LDAP. "ipa-cacert-manage install" adds them in the LDAP server below cn=certificates,cn=ipa,cn=etc,$BASEDN, so I would start by checking if they are all present there: ldapsearch -h localhost -p 389 -D cn=directory\ manager -W -b cn=certificates,cn=ipa,cn=etc,$BASEDN (replace BASEDN with your deployment's basedn that can be found in /etc/ipa/default.conf)

The entries will also contain an attribute ipakeytrust (either trusted or distrusted). Please check that they are all trusted.

Maybe it's better to delete all new CA certs from databases and repeat adding 
with right order?
How can I delete those certs?
I suppose via certutil, but from what directories and databases should I do 
that?
I tried something like that:
certutil -D -d /etc/httdp/alias -n "Nickname"
but after ipa-certupdate they show up again.
That is expected as ipa-certupdate retrieves the certs from LDAP and installs them in the /etc/httpd/alias NSS database.

By the way, how can I include my private key to ipa-server-certinstall?
Is it just
  # ipa-server-certinstall -w comodo.crt comodo.key
?

Also, if I'm trying to install file with only main domain cert (with out 
chain), command resulting in error:

# ipa-server-certinstall -w comodo_base.crt comodo.key
Directory Manager password:

Enter private key unlock password:

The full certificate chain is not present in comodo_base.crt, comodo.key
The ipa-server-certinstall command failed.

You can supply multiple files to ipa-server-certinstall, containing the cert, the key, and the cert chain. For instance
ipa-server-certinstall -w server.cert server.key cachain.cert
where server.cert contains only the cert, server.key only the key, and cachain.cert contains the root, inter1 and inter2 certs.

Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to