roy liang via FreeIPA-users wrote: > https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ipa-ca.html > I'm going to try this scheme instead of CA > Httpd. pem ladp. Pem ladp. Pem httpd.pem ladp.I hope I can get some guidance. > Thank you > > 1:Generate ca-key ca-cert > #openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 > > 2: Generate certificate signing request: > #openssl req -new -key ca-key -out csr.csr > > 3:Generate pem > openssl req -x509 -days 365 -key ca-key -in csr.csr -out http.pem > openssl req -x509 -days 365 -key ca-key -in csr.csr -out ldap.pem > > > 4:install freeipa > root@migration-ipa-65:~/test_ca# ipa-cacert-manage install ca-cert > Installing CA certificate, please wait > CA certificate successfully installed > > 5:install http.pem > root@migration-ipa-65:~/test_ca# ipa-server-certinstall \ >> --dirman-pass xxx \ >> --http /root/test_ca/http.pem --pin xxx > No server certificates found in /root/test_ca/http.pem > The ipa-server-certinstall command failed.
I don't know if you've simplified the commands but this looks insufficient to generate the CA at a minimum. You need to set CA basic constraints to be a valid CA. Similarly you'll probably need constraints on the server cert as well (e.g. setting the EKU, SKI, AKI, etc). Plus subject alternative name(s) on the server cert. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
