Jesse Prentiss via FreeIPA-users wrote: > Thank you for your quick response! > > Sorry ,I did not mean to suggest I expected IPA to renew my user-provided > certificate - just meant we failed to renew the certificate ourselves in > time. > > I had previously commented out the cert and key lines from the ssl.conf and > put in the full path to my new ones, but I had not tried overwriting the > httpd crt and key. That worked! I was able to start the apache server in > the present day with ntp re-enabled. > > I was also able to run ipa-server-certinstall with the -w option. > > The only step that I am still failing at is the installation with the -k > option. Of the 5 files provided by section: > > Available formats: > as Certificate only, PEM encoded: > as Certificate (w/ issuer after), > as Certificate (w/ chain), PEM encoded: > as PKCS#7: > as PKCS#7, PEM encoded: > > The 4th one PKCS#7 was the only one that ipa-server-certinstall did not > reject as a invalid for KDC, but it says "incorrect password for pkcs#12 > file"
PKINIT has very specific certificate requirements. It is unlikely that the server certificate you obtained is sufficient for PKINIT. For all the gory details see https://web.mit.edu/kerberos/krb5-1.12/doc/admin/pkinit.html It may be less friction to use the IPA-issued PKINIT certificate as enrolled clients will already have the full trust chain so it should cause no issues. > > I did find the 443-RSA file where you indicted, and it has what looks like a > hash or auto-generated password in it, but I'm unclear what you mean by > 'Update that if needed' - I don't believe there was a PIN or passphrase set > on the private key. Is there a method that I am supposed to pass or > overwrite that 443-RSA file contents? I could overwrite the (possibly blank) > passphrase of the key but I'm hesitant to break what worked for the other > options. You can look at the private key file. If it includes BEGIN ENCRYPTED PRIVATE KEY then your key has a password. I'm assuming it doesn't so you don't need to mess with this file. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
