Andrea Bontempi wrote:
Ok, this is funny:

[root@dbm13 ca_rotta]# certutil -d sql:[nss db] -K
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and 
Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa      [hidden]   ipa-ca-agent

The sub-ca doesn't have the private key. This is ridiculous... FreeIPA gave me 
the CSR...

When i try to validate "ipa-ca-agent" with certutil i get this error:

"Peer's certificate issuer is not recognized"

(obvious if the certificate issuer does not have the private key)

This is incorrect. To validate a certificate you only need the CA public keys, not the private ones. Only having the ipa-ca-agent key is right. This is a temporary database, not the CA database. We are using this cert to request some information about itself from the CA in this case.

I think there is an issue with one of the CA certs but I've yet to duplicate it or identify what is wrong. I'm still waiting on word back from one of the NSS devs.


Freeipa-users mailing list

Reply via email to