On Thu, Aug 15, 2013 at 6:23 PM, Rob Crittenden <[email protected]> wrote:
> Here is a command: >> certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t "CT,C,C" -n "External >> CA" -i /root/ca.pem >> >> Also I tried to add intermediate CA with the following: >> certutil -d sql:/etc/pki/pki-tomcat/alias/ -A -t ",," -n "External Sub >> CA" -i /root/sub.pem >> >> External CA file is correct, I verified it with "openssl s_client >> -CAfile /root/ca.pem -connect ipa.mydomain.com:636 >> <http://ipa.mydomain.com:636>" >> > > You should drop the sql prefix. This is creating a new cert and key > database (you'll see a new cert9 and key4.db there). I don't believe that > dogtag uses the sql prefix yet so it won't see the new certs you added. > > You should also set the trust flags on all intermediate certs as well. You are right, lsof shows that java process opens only cert8.db and key3.db I did as you say, and dirsrv log output changed to "Netscape Portable Runtime error -8179 (Peer's Certificate issuer is not recognized.); unauthenticated client" Then I in addition ran this command: certutil -d /etc/dirsrv/slapd-MYDOMAIN-COM/ -A -t "CT,C,C" -n "IPA CA" -i /etc/ipa/ca.crt And eventually it worked! So there were two problems: 1) ipa-server-certinstall removed IPA CA from dirsrv nssdb (by replacing it) 2) ipa-server-certinstall did not add new dirsrv CA into pki-tomcatd nssdb Hope you can fix that either in documentation or tools :) -- Best regards, Vladimir Kulev Mobile: +358400369346, +79215554422 Jabber: [email protected] Skype: lightoze
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
