Hi Flo,

On 12/12/17 3:59 PM, Harald Dunkel via FreeIPA-users wrote:

My concern is, it looks much more restricted than the old root CA

# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias

Certificate Nickname                                         Trust Attributes

Server-Cert cert-pki-ca                                      u,u,u
subsystemCert cert-pki-ca                                    u,u,u
caSigningCert cert-pki-ca                                    CTu,Cu,Cu
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C
CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE  C,,

Shouldn't it be "CT,C,C" as well?


ipa-cert-update said

# ipa-certupdate
trying https://ipa1.example.de/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://ipa1.example.de/ipa/json'
trying https://ipa1.example.de/ipa/json
[try 1]: Forwarding 'ca_is_enabled' to json server 
[try 1]: Forwarding 'ca_find/1' to json server 
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful

dmesg shows that there was a core dump:

[108604.869633] ns-slapd[23051]: segfault at 10 ip 00007fb60841dc30 sp 
00007fb60af56c88 error 4 in libpthread-2.17.so[7fb608414000+17000]

Problem: The certificate in /etc/ipa/ca.crt and /usr/share/ipa/html/\
ca.crt is still old. The files have been touched, but not replaced
by the new certificate.

AFAICT this is not as documented. Would you suggest to file a bug

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to