On 9/6/11 11:56 AM, Benjamin Reed wrote: > I've gotten a GeoTrust certificate for the host I'm attempting to put > FreeIPA onto (connect.opennms.com) and I'm now trying to set up an IPA > server on RHEL 6 and I'm running into an error. I have a feeling I'm > missing something obvious and/or fundamental. =)
I was, in fact, missing something both obvious and fundamental. <g> So if you have a certificate from a CA that you wish to use for the "public-facing" portions of your server, you don't in fact need to embed it into the bowels of FreeIPA, you only need to use it for LDAP and HTTPS. Here are the steps I took to get it working (thanks MUCH for the help from simo and richm on IRC): First, Set up FreeIPA as you normally would, in my case: ipa-server-install --selfsign Then, get your keys in the right format, as per this page: http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP When attempting to restart the directory server, it failed, because it didn't have a trust setting for the chained CA certificates: certutil -d /etc/dirsrv/slapd-YOUR-DOMAIN -L GeoTrust DV SSL CA - GeoTrust Inc. ,, GeoTrust Global CA - GeoTrust Inc. ,, They should be "CT,," not ",," for things to start up correctly. I fixed it by telling certutil to trust them: certutil -d /etc/dirsrv/slapd-YOUR-DOMAIN -M -n "GeoTrust DV SSL CA - GeoTrust Inc." -t CT,, certutil -d /etc/dirsrv/slapd-YOUR-DOMAIN -M -n "GeoTrust Global CA - GeoTrust Inc." -t CT,, Now everything's up and appears to be running. -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
