Hi All, We are trying to install externally signed certificate for WebUI / HTTPS service on our RHEL IdM servers (primary and replica both). As the first step, we are trying to install the CA certificate chain of the issuer of the 3rd party certificate to IPA using "ipa-cacert-manage install”
Step:1 ipa-cacert-manage install idm-app-pilot-file.pem We have put the certificate issued by intermediate CA for the CSR generated at "/var/lib/ipa/ca.csr" from "ipa-cacert-manage renew --external-ca". command excepts the certificate as expected. Step2: ipa-certupdate We ran this command on both primary & replica and also the clients registered to the Step3: ipa-cacert-manage renew --external-cert-file=idm-app-pilot-file.pem --external-cert-file=ca_chain_cert.pem In this step, we are running the "ipa-cacert-manage renew" command with renewed CA certificate and the external CA certificate chain. "ca_chain_cert.pem" has intermediate and root cert of the signing CA. Step3 command fails: [root@ldmserver01 certs]# ipa-cacert-manage renew --external-cert-file=idm-app-pilot-file.pem --external-cert-file=ca_chain_cert.pem Importing the renewed CA certificate, please wait CA certificate CN=ABC Root CA,ST=California,OU=ABC_CA_Authority,O=ABCInc,L=PaloAlto,C=US in idm-app-pilot-file.pem, ca_chain_cert.pem is not valid: not a CA certificate The ipa-cacert-manage command failed. We have validated our certs using openssl verify -trusted as pasted below: [root@ldmserver01 certs]# openssl verify -trusted ca_chain_cert.pem idm-app-pilot-file.pem idm-app-pilot-file.pem: OK Could someone please help us with what step we are doing it wrong. What should be the content expected by IdM server for ca_chain_cert.pem in terms of the order of root and intermediate section. We have even tried with ca_cert chain appending to idm-app-pilot-file.pem, but no luck. Thanks in advance. Regards, Saurabh Garg _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
