The problem is the encoding of the certificate subject, some CA use UTF-8 (like 
EJBCA), contrariwise NSS create certificates with subject in ASCII.

The error occurs during the installation on the step "issuing RA agent 
certificate", when sslget try to use the TLS certificate "ipa-ca-agent" and 
fail with error code "-12195".

This error (SSL_ERROR_UNKNOWN_CA_ALERT) means that "ipa-ca-agent" is signed by 
a missing CA.

If you open the NSS database used by sslget you can see the correct CA chain, 
but you can't follow this chain from "ipa-ca-agent", this is the cause of the 
error explained above. 

NSS for follow the chain make a bit-to-bit compare to the derSubject and 
derIssuer fields, but can't match because one is in UTF-8 and other is in ASCII.

For fix, you must use the old mode (PrintableString) for sign the FreeIPA 
sub-ca certificate, in EJBCA just make a new root CA with the option 
"PrintableString encoding in DN" enabled.

Thanks for the help.

Andrea Bontempi

Freeipa-users mailing list

Reply via email to