John Moyer wrote:
John,
I see the following when I ran that first command.
sudo certutil -d /etc/httpd/alias -L -h internal
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc. ,,
MyIPA CTu,Cu,u
So being that I have no fear (or am just real dumb, I really feel it's just
both) I used that command and got this error after hitting enter to continue:
sudo modutil -add ca_certs -libfile libnssckbi.so -dbdir /etc/httpd/alias
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
ERROR: Failed to add module "ca_certs". Probable cause : "Unknown PKCS #11
error.".
I then did the first command again (to see what I messed up) and it looks
identical as shown below:
sudo certutil -d /etc/httpd/alias -L -h internal
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,,
Go Daddy Class 2 Certification Authority - ValiCert, Inc. ,,
MyIPA CTu,Cu,u
These trust flags look really strange.
What is MyIPA, is that your server certificate? It should have a trust
of u,u,u if it is: certutil -M -d /etc/httpd/alias -n MyIPA -t u,u,u
The other two are clearly CAs and should be trusted as so. For each one
I'd do:
certutil -M -d /etc/httpd/alias -n 'nickname' -t CT,,
You can test the trust with:
certutil -V -u V -d /etc/httpd/alias -n MyIPA
I'm guessing that you'll need to do something similar in
/etc/dirsrv/slapd-YOUR-INSTANCE.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
