The problem is the encoding of the certificate subject, some CA use UTF-8 (like
EJBCA), contrariwise NSS create certificates with subject in ASCII.
The error occurs during the installation on the step "issuing RA agent
certificate", when sslget try to use the TLS certificate "ipa-ca-agent" and
fail with error code "-12195".
This error (SSL_ERROR_UNKNOWN_CA_ALERT) means that "ipa-ca-agent" is signed by
a missing CA.
If you open the NSS database used by sslget you can see the correct CA chain,
but you can't follow this chain from "ipa-ca-agent", this is the cause of the
error explained above.
NSS for follow the chain make a bit-to-bit compare to the derSubject and
derIssuer fields, but can't match because one is in UTF-8 and other is in ASCII.
For fix, you must use the old mode (PrintableString) for sign the FreeIPA
sub-ca certificate, in EJBCA just make a new root CA with the option
"PrintableString encoding in DN" enabled.
Thanks for the help.
Freeipa-users mailing list