Hello,
Here's the output for these commands
[root@ipa ~]# update-crypto-policies --show
DEFAULT
[root@ipa ~]# cat /etc/krb5.conf.d/crypto-policies
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192
aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96
[root@ipa ~]# getcert list -f /var/kerberos/krb5kdc/kdc.crt
Number of certificates and requests being tracked: 9.
Request ID '20220225155300':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.WEB1.FI
subject: CN=ipa.tku-2.web1.fi,O=IPA.WEB1.FI
issued: 2022-02-25 17:53:01 EET
expires: 2024-02-26 17:53:01 EET
dns: ipa.tku-2.web1.fi
principal name: krbtgt/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
This is run on a updated openssl version.
it's 1:1 with the earlier "working openssl" if I compare the output to our
tre-1 ipa server (ofc. CN is pointing elsewhere there, but ciphers etc)
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
