I have it now. The --dirsrv_pkcs12 option seems to like pkcs7 formatted certificates, but the person who issued it did not set a password, so FreeIPA will not let me install it to know if it works for sure. I am having the certificate reissued again with a password in pkcs12 format and all should be well with the world again.

Thanks for your help and guidance on this. Your level of support is better than I could have expected.

On 1/6/14 11:01 AM, Rob Crittenden wrote:
James Scollard wrote:
That makes absolute perfect sense.  Thanks for the clarification.
Unfortunately I have an new issue now.  Globalsign has issued me a pkcs7
certificate.  FreeIPA does not recognize the format:

[root@ldapm6x00 ~]# ipa-server-install
Usage: ipa-server-install [options]

ipa-server-install: error: no such option: --dirsrv_pkcs7

I need to convert it to pkcs12 using the converter here (awesome free


I need the server's private key file to convert from pkcs7 to pkcs12,
but cant find it anywhere.  Is there a command to export it or does it
live in /var/lib or /etc somewhere?

The private exists wherever you generated the CSR. If you used openssl then it would be in a flat file somewhere. If you used NSS then it would be in that database.


James E. Scollard III

Senior Cloud Systems Architect
c: 615.730.4387

View my profile on LinkedIn

Freeipa-users mailing list

Reply via email to