Hello, Thanks to this group's help, I'm learning my way through IPA's certificate system.
I read Fraser's well written post on creating sub-CAs, and successfully got everything to work. I then ran into the same problem Kevin Vasko hit in this thread: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/45CQE3CGG5QFZ5YMRGYJDICB7WWFWAVQ/ It seems Debian-based Chrome and Firefox don't implicitly trust the OS root certificate store. For each Firefox profile (about:profiles), the NSS db is in ~/.mozilla/firefox/<profile>. The certs in this directory can be listed certutil -d sql:/home/nick/.mozilla/firefox/4sar5x5s.default-release/ -L On Ubuntu 18.04, after installing and configuring IPA client (# ipa-client-install --mkhomedir), the IPA certificate is listed in the store. Still, Firefox doesn't trust the IPA server or its trusted hosts. Why??? It's been established that Linux Firefox and Linux Chrome don't trust the OS trusted certificate stores. It seems, with all that comes with assumptions, that Firefox doesn't trust its own profile store, either. Nick
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org