Ok, this is funny:

-----------------------------------------------------------------------------------------------------
[root@dbm13 ca_rotta]# certutil -d sql:[nss db] -K
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and 
Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa      [hidden]   ipa-ca-agent
-----------------------------------------------------------------------------------------------------

The sub-ca doesn't have the private key. This is ridiculous... FreeIPA gave me 
the CSR...

When i try to validate "ipa-ca-agent" with certutil i get this error:

"Peer's certificate issuer is not recognized"

(obvious if the certificate issuer does not have the private key)

Andrea Bontempi

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to