Polavarapu Manideep Sai wrote: > Here are the answers for the questions asked > > > 1.You submitted a single CSR and got two certficates back? > Yes, I have shared single CSR and got two certificates back. > > 2. What does "tomcat name" mean? Is it using a different key? > > Here are the certificate details: > > Received these two zip files > > 1. ipa.example.com_Apache.zip > 2. ipa.example.com_TOMCAT.zip > > [root@ Certificates]# tree > . > ├── Apache > │ ├── 1f1f7ab616938168.crt > │ ├── 1f1f7ab616938168.pem > │ └── gd_bundle-g2-g1.crt > └── Tomcat > ├── 1f1f7ab616938168.crt > ├── 1f1f7ab616938168.pem > ├── gd_bundle-g2-g1.crt > └── gdig2.crt.pem > > > 3. Do you intend on replacing the server certificate for the CA as well? If > so, why?
You have to first install the CA chain using ipa-cacert-manage install /path/to/file. Then run ipa-certupdate ON ALL OF YOUR IPA SERVERS AND CLIENTS. Apologies for shouting but if you fail to do this step then any non-updated machines may not trust the new IPA Apache cert and that would be bad. Assuming the chain they provided is complete that should resolve the ipa-server-certinstall issue. rob > > NO > > Regards > Sai > > > > -----Original Message----- > From: Polavarapu Manideep Sai via FreeIPA-users > <[email protected]> > Sent: 06 July 2023 22:28 > To: Rob Crittenden <[email protected]>; FreeIPA users list > <[email protected]> > Cc: Polavarapu Manideep Sai <[email protected]> > Subject: [Freeipa-users] Re: Help-Installing Third-Party Certificates for > HTTP or LDAP > > > CAUTION. This email originated from outside the organization. Please exercise > caution before clicking on links or attachments in case of suspicion or > unknown senders. > > > > > Hi Rob, > > Thanks for the reply, Here are the errors up on including .pem , please let > us know if more details required on this > > [root@ Apache]# ipa-server-certinstall --http --dirsrv central.key > gd_bundle-g2-g1.crt 1f1f7ab616938168.pem Directory Manager password: > > Enter private key unlock password: > > Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's > Certificate issuer is not recognized.). Please run ipa-cacert-manage install > and ipa-certupdate to install the CA certificate. > The ipa-server-certinstall command failed. > > ============================================================================= > Tried to run ipa-cacert-manage install > > > [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA > certificate, please wait Not a valid CA certificate: not a CA certificate > (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) > The ipa-cacert-manage command failed. > [root@ Apache]# > > ==================================================== > > > [root@ Apache]# > [root@ Apache]# certutil -L -d /etc/pki/pki-tomcat/alias > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > caSigningCert cert-pki-ca CTu,Cu,Cu > [root@ Apache]# > > > [root@ Apache]# certutil -L -d /etc/httpd/alias/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > IPA.EXAMPLE.COM IPA CA CT,C,C > [root@ Apache]# > [root@ Apache]# > > > [root@ Apache]# certutil -L -d /etc/dirsrv/slapd-IPA-ONMOBILE-COM/ > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > IPA.EXAMPLE.COM IPA CA CT,C,C > [root@ Apache]# > > =========================================================== > > > > Regards > Sai > > -----Original Message----- > From: Rob Crittenden <[email protected]> > Sent: 06 July 2023 20:55 > To: FreeIPA users list <[email protected]> > Cc: Polavarapu Manideep Sai <[email protected]> > Subject: Re: [Freeipa-users] Help-Installing Third-Party Certificates for > HTTP or LDAP > > > CAUTION. This email originated from outside the organization. Please exercise > caution before clicking on links or attachments in case of suspicion or > unknown senders. > > > > > Polavarapu Manideep Sai via FreeIPA-users wrote: >> Hi Team, >> >> >> >> I have generated central.csr and central.key in my ipa server and >> shared this central.csr to third-party certificate authority and i got >> certificates from certificate authority with two directories one as >> apache directory and it's certificates are 1f1f7ab616938168.crt, >> 1f1f7ab616938168.pem and gd_bundle-g2-g1.crt and another directory >> with tomcat name and its certficates are 1f1f7ab616938168.crt, >> 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and gdig2.crt.pem, now i >> want to install these certficates in my ipa server can you please >> guide on the same ? > > The process you describe is a little hard to follow. You submitted a single > CSR and got two certficates back? What does "tomcat name" mean? > Is it using a different key? Do you intend on replacing the server > certificate for the CA as well? If so, why? > >> >> I tried this, but getting the below error, can you please share the >> steps to install this SSL certficates >> >> >> >> [root@ Apache]# ipa --version >> >> VERSION: 4.5.0, API_VERSION: 2.228 >> >> >> >> ipa-server-certinstall --http --dirsrv ssl.key ssl.crt >> >> [root@Apache]# ipa-server-certinstall --http --dirsrv central.key >> gd_bundle-g2-g1.crt >> >> Directory Manager password: >> >> >> >> Enter private key unlock password: >> >> >> >> No matching certificate found for private key from central.key > > You didn't include the server certificate file you got, ex. > 1f1f7ab616938168.pem > > rob > > > ________________________________ > > DISCLAIMER: The information in this message is confidential and may be > legally privileged. It is intended solely for the addressee. Access to this > message by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying, or distribution of the message, or any > action or omission taken by you in reliance on it, is prohibited and may be > unlawful. Please immediately contact the sender if you have received this > message in error. Further, this e-mail may contain viruses and all reasonable > precaution to minimize the risk arising there from is taken by OnMobile. > OnMobile is not liable for any damage sustained by you as a result of any > virus in this e-mail. All applicable virus checks should be carried out by > you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > ________________________________ > > DISCLAIMER: The information in this message is confidential and may be > legally privileged. It is intended solely for the addressee. Access to this > message by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying, or distribution of the message, or any > action or omission taken by you in reliance on it, is prohibited and may be > unlawful. Please immediately contact the sender if you have received this > message in error. Further, this e-mail may contain viruses and all reasonable > precaution to minimize the risk arising there from is taken by OnMobile. > OnMobile is not liable for any damage sustained by you as a result of any > virus in this e-mail. All applicable virus checks should be carried out by > you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
