[Freeipa-users] Re: Help-Installing Third-Party Certificates for HTTP or LDAP

[Polavarapu Manideep Sai via FreeIPA-users]

Hi Rob,

As mentioned in my previous response, here is the error upon executing 
ipa-cacert-manage install
Please let me know if any other details required on this


[root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.crt
Installing CA certificate, please wait
Not a valid CA certificate: not a CA certificate (visit 
http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.
[root@ Apache]#
[root@ Apache]#
[root@ Apache]#
[root@ Apache]#
[root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem
Installing CA certificate, please wait
Not a valid CA certificate: not a CA certificate (visit 
http://www.freeipa.org/page/Troubleshooting for troubleshooting guide)
The ipa-cacert-manage command failed.
[root@ Apache]#
[root@ Apache]#
[root@ Apache]#
[root@ Apache]#
[root@ Apache]#
[root@ Apache]# ipa-cacert-manage install gd_bundle-g2-g1.crt
Installing CA certificate, please wait
(SEC_ERROR_NO_TOKEN) The security card or token does not exist, needs to be 
initialized, or has been removed.
The ipa-cacert-manage command failed.

Regards
ManidepSai


-----Original Message-----
From: Rob Crittenden <rcrit...@redhat.com>
Sent: 07 July 2023 00:16
To: Polavarapu Manideep Sai <manideep....@onmobile.com>; FreeIPA users list 
<freeipa-users@lists.fedorahosted.org>
Subject: Re: [Freeipa-users] Re: Help-Installing Third-Party Certificates for 
HTTP or LDAP


CAUTION. This email originated from outside the organization. Please exercise 
caution before clicking on links or attachments in case of suspicion or unknown 
senders.




Polavarapu Manideep Sai wrote:
> Here are the answers for the questions asked
>
>
> 1.You submitted a single CSR and got two certficates back?
> Yes, I have shared single CSR and got two certificates back.
>
> 2. What does "tomcat name" mean? Is it using a different key?
>
> Here are the certificate details:
>
> Received these two zip files
>
> 1. ipa.example.com_Apache.zip
> 2. ipa.example.com_TOMCAT.zip
>
> [root@ Certificates]# tree
> .
> ├── Apache
> │   ├── 1f1f7ab616938168.crt
> │   ├── 1f1f7ab616938168.pem
> │   └── gd_bundle-g2-g1.crt
> └── Tomcat
>     ├── 1f1f7ab616938168.crt
>     ├── 1f1f7ab616938168.pem
>     ├── gd_bundle-g2-g1.crt
>     └── gdig2.crt.pem
>
>
> 3. Do you intend on replacing the server certificate for the CA as well? If 
> so, why?

You have to first install the CA chain using ipa-cacert-manage install 
/path/to/file.

Then run ipa-certupdate ON ALL OF YOUR IPA SERVERS AND CLIENTS.

Apologies for shouting but if you fail to do this step then any non-updated 
machines may not trust the new IPA Apache cert and that would be bad.

Assuming the chain they provided is complete that should resolve the 
ipa-server-certinstall issue.

rob

>
> NO
>
> Regards
> Sai
>
>
>
> -----Original Message-----
> From: Polavarapu Manideep Sai via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org>
> Sent: 06 July 2023 22:28
> To: Rob Crittenden <rcrit...@redhat.com>; FreeIPA users list
> <freeipa-users@lists.fedorahosted.org>
> Cc: Polavarapu Manideep Sai <manideep....@onmobile.com>
> Subject: [Freeipa-users] Re: Help-Installing Third-Party Certificates
> for HTTP or LDAP
>
>
> CAUTION. This email originated from outside the organization. Please exercise 
> caution before clicking on links or attachments in case of suspicion or 
> unknown senders.
>
>
>
>
> Hi Rob,
>
> Thanks for the reply, Here are the errors up on including .pem ,
> please let us know if more details required on this
>
> [root@ Apache]# ipa-server-certinstall --http --dirsrv central.key 
> gd_bundle-g2-g1.crt 1f1f7ab616938168.pem Directory Manager password:
>
> Enter private key unlock password:
>
> Peer's certificate issuer is not trusted ((SEC_ERROR_UNKNOWN_ISSUER) Peer's 
> Certificate issuer is not recognized.). Please run ipa-cacert-manage install 
> and ipa-certupdate to install the CA certificate.
> The ipa-server-certinstall command failed.
>
> ======================================================================
> ======= Tried to run ipa-cacert-manage install
>
>
> [root@ Apache]# ipa-cacert-manage install 1f1f7ab616938168.pem Installing CA 
> certificate, please wait Not a valid CA certificate: not a CA certificate 
> (visit http://www.freeipa.org/page/Troubleshooting for troubleshooting guide) 
> The ipa-cacert-manage command failed.
> [root@ Apache]#
>
> ====================================================
>
>
> [root@ Apache]#
> [root@ Apache]# certutil -L -d /etc/pki/pki-tomcat/alias
>
> Certificate Nickname                                         Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> ocspSigningCert cert-pki-ca                                  u,u,u
> subsystemCert cert-pki-ca                                    u,u,u
> Server-Cert cert-pki-ca                                      u,u,u
> auditSigningCert cert-pki-ca                                 u,u,Pu
> caSigningCert cert-pki-ca                                    CTu,Cu,Cu
> [root@ Apache]#
>
>
> [root@ Apache]# certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname                                         Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Server-Cert                                                  u,u,u
> IPA.EXAMPLE.COM IPA CA                                      CT,C,C
> [root@ Apache]#
> [root@ Apache]#
>
>
> [root@ Apache]# certutil -L -d /etc/dirsrv/slapd-IPA-ONMOBILE-COM/
>
> Certificate Nickname                                         Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Server-Cert                                                  u,u,u
> IPA.EXAMPLE.COM IPA CA                                      CT,C,C
> [root@ Apache]#
>
> ===========================================================
>
>
>
> Regards
> Sai
>
> -----Original Message-----
> From: Rob Crittenden <rcrit...@redhat.com>
> Sent: 06 July 2023 20:55
> To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
> Cc: Polavarapu Manideep Sai <manideep....@onmobile.com>
> Subject: Re: [Freeipa-users] Help-Installing Third-Party Certificates
> for HTTP or LDAP
>
>
> CAUTION. This email originated from outside the organization. Please exercise 
> caution before clicking on links or attachments in case of suspicion or 
> unknown senders.
>
>
>
>
> Polavarapu Manideep Sai via FreeIPA-users wrote:
>> Hi Team,
>>
>>
>>
>> I have generated central.csr and central.key in my ipa server and
>> shared this central.csr to third-party certificate authority and i
>> got certificates from certificate authority with two directories one
>> as apache directory and it's certificates are 1f1f7ab616938168.crt,
>> 1f1f7ab616938168.pem and  gd_bundle-g2-g1.crt and another directory
>> with tomcat name and its certficates are  1f1f7ab616938168.crt,
>> 1f1f7ab616938168.pem, gd_bundle-g2-g1.crt and  gdig2.crt.pem, now i
>> want to install these certficates in my ipa server can you please
>> guide on the same ?
>
> The process you describe is a little hard to follow.  You submitted a single 
> CSR and got two certficates back? What does "tomcat name" mean?
> Is it using a different key? Do you intend on replacing the server 
> certificate for the CA as well? If so, why?
>
>>
>> I tried this, but getting the below error, can you please share the
>> steps to install this SSL certficates
>>
>>
>>
>> [root@ Apache]# ipa --version
>>
>> VERSION: 4.5.0, API_VERSION: 2.228
>>
>>
>>
>> ipa-server-certinstall --http --dirsrv ssl.key ssl.crt
>>
>> [root@Apache]# ipa-server-certinstall --http --dirsrv central.key
>> gd_bundle-g2-g1.crt
>>
>> Directory Manager password:
>>
>>
>>
>> Enter private key unlock password:
>>
>>
>>
>> No matching certificate found for private key from central.key
>
> You didn't include the server certificate file you got, ex.
> 1f1f7ab616938168.pem
>
> rob
>
>
> ________________________________
>
> DISCLAIMER: The information in this message is confidential and may be 
> legally privileged. It is intended solely for the addressee. Access to this 
> message by anyone else is unauthorized. If you are not the intended 
> recipient, any disclosure, copying, or distribution of the message, or any 
> action or omission taken by you in reliance on it, is prohibited and may be 
> unlawful. Please immediately contact the sender if you have received this 
> message in error. Further, this e-mail may contain viruses and all reasonable 
> precaution to minimize the risk arising there from is taken by OnMobile. 
> OnMobile is not liable for any damage sustained by you as a result of any 
> virus in this e-mail. All applicable virus checks should be carried out by 
> you before opening this e-mail or any attachment thereto.
> Thank you - OnMobile Global Limited.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedor
> ahosted.org Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
> ________________________________
>
> DISCLAIMER: The information in this message is confidential and may be 
> legally privileged. It is intended solely for the addressee. Access to this 
> message by anyone else is unauthorized. If you are not the intended 
> recipient, any disclosure, copying, or distribution of the message, or any 
> action or omission taken by you in reliance on it, is prohibited and may be 
> unlawful. Please immediately contact the sender if you have received this 
> message in error. Further, this e-mail may contain viruses and all reasonable 
> precaution to minimize the risk arising there from is taken by OnMobile. 
> OnMobile is not liable for any damage sustained by you as a result of any 
> virus in this e-mail. All applicable virus checks should be carried out by 
> you before opening this e-mail or any attachment thereto.
> Thank you - OnMobile Global Limited.
>


________________________________

DISCLAIMER: The information in this message is confidential and may be legally 
privileged. It is intended solely for the addressee. Access to this message by 
anyone else is unauthorized. If you are not the intended recipient, any 
disclosure, copying, or distribution of the message, or any action or omission 
taken by you in reliance on it, is prohibited and may be unlawful. Please 
immediately contact the sender if you have received this message in error. 
Further, this e-mail may contain viruses and all reasonable precaution to 
minimize the risk arising there from is taken by OnMobile. OnMobile is not 
liable for any damage sustained by you as a result of any virus in this e-mail. 
All applicable virus checks should be carried out by you before opening this 
e-mail or any attachment thereto.
Thank you - OnMobile Global Limited.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue