Hi Rob, Thanks for the reply, Here are the errors up on including .pem , please let us know if more details required on this
[root@ Apache]# ipa-server-certinstall --http --dirsrv central.key gd_bundle-g2-g1.crt 1f1f7ab616938168.pem Directory Manager password: Enter private key unlock password: Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's Certificate issuer is not recognized.). Please run ipa-cacert-manage install and ipa-certupdate to install the CA certificate. The ipa-server-certinstall command failed. ============================================================================= Tried to run ipa-cacert-manage install [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA certificate, please wait Not a valid CA certificate: not a CA certificate (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) The ipa-cacert-manage command failed. [root@ Apache]# ==================================================== [root@ Apache]# [root@ Apache]# certutil -L -d /etc/pki/pki-tomcat/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu [root@ Apache]# [root@ Apache]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u IPA.EXAMPLE.COM IPA CA CT,C,C [root@ Apache]# [root@ Apache]# [root@ Apache]# certutil -L -d /etc/dirsrv/slapd-IPA-ONMOBILE-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u IPA.EXAMPLE.COM IPA CA CT,C,C [root@ Apache]# =========================================================== Regards Sai -----Original Message----- From: Rob Crittenden <[email protected]> Sent: 06 July 2023 20:55 To: FreeIPA users list <[email protected]> Cc: Polavarapu Manideep Sai <[email protected]> Subject: Re: [Freeipa-users] Help-Installing Third-Party Certificates for HTTP or LDAP CAUTION. This email originated from outside the organization. Please exercise caution before clicking on links or attachments in case of suspicion or unknown senders. Polavarapu Manideep Sai via FreeIPA-users wrote: > Hi Team, > > > > I have generated central.csr and central.key in my ipa server and > shared this central.csr to third-party certificate authority and i got > certificates from certificate authority with two directories one as > apache directory and it's certificates are 1f1f7ab616938168.crt, > 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory > with tomcat name and its certficates are 1f1f7ab616938168.crt, > 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i > want to install these certficates in my ipa server can you please > guide on the same ? The process you describe is a little hard to follow. You submitted a single CSR and got two certficates back? What does "tomcat name" mean? Is it using a different key? Do you intend on replacing the server certificate for the CA as well? If so, why? > > I tried this, but getting the below error, can you please share the > steps to install this SSL certficates > > > > [root@ Apache]# ipa --version > > VERSION: 4.5.0, API_VERSION: 2.228 > > > > ipa-server-certinstall --http --dirsrv ssl.key ssl.crt > > [root@Apache]# ipa-server-certinstall --http --dirsrv central.key > gd_bundle-g2-g1.crt > > Directory Manager password: > > > > Enter private key unlock password: > > > > No matching certificate found for private key from central.key You didn't include the server certificate file you got, ex. 1f1f7ab616938168.pem rob ________________________________ DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. Further, this e-mail may contain viruses and all reasonable precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not liable for any damage sustained by you as a result of any virus in this e-mail. All applicable virus checks should be carried out by you before opening this e-mail or any attachment thereto. Thank you - OnMobile Global Limited. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
