On Wed, Oct 09, 2019 at 06:28:11PM -0500, Kevin Vasko via FreeIPA-users wrote: > Hello, > > I’m wanting to make our https servers use a trusted certificate within our > LAN only. So for example if I have websrv1.ny.example.com when a user uses a > machine that’s enrolled into our realm and they visit > https://websrv1.ny.example.com they shouldn’t be prompted to accept the self > signed certificate. > > I think I’m pretty close but I’m missing a small part. > > The ipa server is all setup and working. Hosts are enrolled to ipa and have > the /etc/ipa/ca.crt. > > I have created a service for the http server in IPA. I have obtained a .key > file and .crt file for my web server. Those keys for the web server are in > the appropriate location and the web server is pointing at the certs > correctly. > > On my clients when I go to the web servers URl I am no longer getting a “self > signed cert” error message in the browser. > > That message has now changed to “unverified certificate authority”. Which > basically indicates to me that the browser doesn’t know if this certificate > authority should/can be trusted. > > If i go in the browser (firefox or chrome) in the certificate authority > section and import the /etc/ipa/ca.crt i get no errors in the browser about > it being unverified. > > So my question is, what am I missing to make the /etc/ipa/ca.crt file > globally available for browsers to pick up the certificate automatically? > > when we enroll a host we simply do > > freeipa-install-client —domain=example.com —realm=EXAMPLE.COM —mkhomedir > > Accept the defaults, put in the password to enroll and that’s it. Is there > something I’m missing? > > -Kevin > Looks like the browser is not using the system trust store. Please provide full details of operating system and package versions for both freeipa and browser packages.
Cheers, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org