Here are the answers for the questions asked
1.You submitted a single CSR and got two certficates back?
Yes, I have shared single CSR and got two certificates back.
2. What does "tomcat name" mean? Is it using a different key?
Here are the certificate details:
Received these two zip files
1. ipa.example.com_Apache.zip
2. ipa.example.com_TOMCAT.zip
[root@ Certificates]# tree
.
├── Apache
│ ├── 1f1f7ab616938168.crt
│ ├── 1f1f7ab616938168.pem
│ └── gd_bundle-g2-g1.crt
└── Tomcat
├── 1f1f7ab616938168.crt
├── 1f1f7ab616938168.pem
├── gd_bundle-g2-g1.crt
└── gdig2.crt.pem
3. Do you intend on replacing the server certificate for the CA as well? If so,
why?
NO
Regards
Sai
-----Original Message-----
From: Polavarapu Manideep Sai via FreeIPA-users
<[email protected]>
Sent: 06 July 2023 22:28
To: Rob Crittenden <[email protected]>; FreeIPA users list
<[email protected]>
Cc: Polavarapu Manideep Sai <[email protected]>
Subject: [Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP
or LDAP
CAUTION. This email originated from outside the organization. Please exercise
caution before clicking on links or attachments in case of suspicion or unknown
senders.
Hi Rob,
Thanks for the reply, Here are the errors up on including .pem , please let us
know if more details required on this
[root@ Apache]# ipa-server-certinstall --http --dirsrv central.key
gd_bundle-g2-g1.crt 1f1f7ab616938168.pem Directory Manager password:
Enter private key unlock password:
Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's
Certificate issuer is not recognized.). Please run ipa-cacert-manage install
and ipa-certupdate to install the CA certificate.
The ipa-server-certinstall command failed.
=============================================================================
Tried to run ipa-cacert-manage install
[root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA
certificate, please wait Not a valid CA certificate: not a CA certificate
(visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.
[root@ Apache]#
====================================================
[root@ Apache]#
[root@ Apache]# certutil -L -d /etc/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca CTu,Cu,Cu
[root@ Apache]#
[root@ Apache]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
IPA.EXAMPLE.COM IPA CA CT,C,C
[root@ Apache]#
[root@ Apache]#
[root@ Apache]# certutil -L -d /etc/dirsrv/slapd-IPA-ONMOBILE-COM/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
IPA.EXAMPLE.COM IPA CA CT,C,C
[root@ Apache]#
===========================================================
Regards
Sai
-----Original Message-----
From: Rob Crittenden <[email protected]>
Sent: 06 July 2023 20:55
To: FreeIPA users list <[email protected]>
Cc: Polavarapu Manideep Sai <[email protected]>
Subject: Re: [Freeipa-users] Help-Installing Third-Party Certificates for HTTP
or LDAP
CAUTION. This email originated from outside the organization. Please exercise
caution before clicking on links or attachments in case of suspicion or unknown
senders.
Polavarapu Manideep Sai via FreeIPA-users wrote:
> Hi Team,
>
>
>
> I have generated central.csr and central.key in my ipa server and
> shared this central.csr to third-party certificate authority and i got
> certificates from certificate authority with two directories one as
> apache directory and it's certificates are 1f1f7ab616938168.crt,
> 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory
> with tomcat name and its certficates are 1f1f7ab616938168.crt,
> 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i
> want to install these certficates in my ipa server can you please
> guide on the same ?
The process you describe is a little hard to follow. You submitted a single
CSR and got two certficates back? What does "tomcat name" mean?
Is it using a different key? Do you intend on replacing the server certificate
for the CA as well? If so, why?
>
> I tried this, but getting the below error, can you please share the
> steps to install this SSL certficates
>
>
>
> [root@ Apache]# ipa --version
>
> VERSION: 4.5.0, API_VERSION: 2.228
>
>
>
> ipa-server-certinstall --http --dirsrv ssl.key ssl.crt
>
> [root@Apache]# ipa-server-certinstall --http --dirsrv central.key
> gd_bundle-g2-g1.crt
>
> Directory Manager password:
>
>
>
> Enter private key unlock password:
>
>
>
> No matching certificate found for private key from central.key
You didn't include the server certificate file you got, ex.
1f1f7ab616938168.pem
rob
________________________________
DISCLAIMER: The information in this message is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this message by
anyone else is unauthorized. If you are not the intended recipient, any
disclosure, copying, or distribution of the message, or any action or omission
taken by you in reliance on it, is prohibited and may be unlawful. Please
immediately contact the sender if you have received this message in error.
Further, this e-mail may contain viruses and all reasonable precaution to
minimize the risk arising there from is taken by OnMobile. OnMobile is not
liable for any damage sustained by you as a result of any virus in this e-mail.
All applicable virus checks should be carried out by you before opening this
e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
________________________________
DISCLAIMER: The information in this message is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this message by
anyone else is unauthorized. If you are not the intended recipient, any
disclosure, copying, or distribution of the message, or any action or omission
taken by you in reliance on it, is prohibited and may be unlawful. Please
immediately contact the sender if you have received this message in error.
Further, this e-mail may contain viruses and all reasonable precaution to
minimize the risk arising there from is taken by OnMobile. OnMobile is not
liable for any damage sustained by you as a result of any virus in this e-mail.
All applicable virus checks should be carried out by you before opening this
e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
