On 04/26/2013 07:22 AM, Peter Brown wrote:
Hi everyone.

I am attempting to get Google Apps to sync with FreeIPA and I am having
problems getting the sync utility to talk to freeipa.
It complains about the ssl cert.
I have it setup so it only accepts ssl or tls encrypted connections and
I don't want to turn that off.
I have imported the ca cert using the jre's keytool but it still refuses
to connect.
I am getting the impression I need to import the ssl cert for the ldap
server into it as well.

The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other certs. Make sure you import it with the right trust level (SSL certificate signing). Unfortunately I don't know about jre's keytool so I can't be more specific.

I have no idea which certificate that is and I have no idea how to
export it.

Do not do this. You should only explicitly trust the CA cert.
For example, if you trust the certs explicitly you'd have to re-import them one by one when they are renewed.

Can someone please tell me how to do this?

If you really want to:
There are two certs, one for httpd (Web UI, XMLRPC & JSON APIs), and one for the LDAP server.
To export the httpd server certificate (to PEM):
$ certutil -L -d /etc/httpd/alias -n Server-Cert -a
To export the directory server certificate (to PEM):
$ certutil -L -d /etc/dirsrv/slapd-$INSTANCE_NAME/ -n Server-Cert -a
But again, you don't need this for what you're trying to do.


Freeipa-users mailing list

Reply via email to