ok I think I got it again...  If anyone is looking for this here is the
answer that worked for me....


   1. Here are the steps
   1.
      
http://stackoverflow.com/questions/23374894/mod-nss-with-apache-public-certificate-issue?noredirect=1#comment36504881_23374894
      -- start at Convert crt file in PEM format and do that whole section
      completely
      2. Then with the p12 from above you get do this (skip the line about
      generating a new one)
      http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
         1. If you run across the error "/etc/ipa/ca.crt contains more than
         one certificate" you will need to go into /etc/ipa/ca.crt,
back it up and
         then try removing one of the certs and try ipa-server-certinstall
         from above again (if it doesn't work revert ca.crt to the
original and then
         remove the other)
      3. Then restart the both instances (bottom of the freeipa link) and
      you should be good to go.


On Mon, Aug 25, 2014 at 8:45 AM, Chris Whittle <cwhi...@gmail.com> wrote:

> I found this but I think it's just IPA certs?
> http://www.freeipa.org/page/V4/CA_certificate_renewal
>
> Basically I want to use my existing wildcard cert for https and ldaps...
> I did this on my 3.3 install on CentOS but now I'm on a 4 install on
> Fedora Core.
>
> Any help would be more than appreciated!
> Thanks!
>
>
> On Mon, Aug 25, 2014 at 6:24 AM, Chris Whittle <cwhi...@gmail.com> wrote:
>
>> I have 4 installed and I get it when I try to generate the pk12
>> On Aug 25, 2014 3:50 AM, "Jan Cholasta" <jchol...@redhat.com> wrote:
>>
>>> Hi,
>>>
>>> Dne 25.8.2014 v 03:04 Chris Whittle napsal(a):
>>>
>>>> Trying to do this
>>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>>>>
>>>> And I keep getting "Error unable to get local issuer certificate getting
>>>> chain."
>>>>
>>>
>>> Where are you getting this error? ipa-server-certinstall, or httpd, or
>>> somewhere else?
>>>
>>> What version of ipa do you have installed?
>>>
>>>
>>>> I'm wondering if it's because of this from the doc
>>>> "The certificate in mysite.crt must be signed by the CA used when
>>>> installing FreeIPA."
>>>> but it might not either...
>>>>
>>>
>>> In this case you should get a "file.p12 is not signed by
>>> /etc/ipa/ca.crt, or the full certificate chain is not present in the
>>> PKCS#12 file" error in ipa-server-certinstall.
>>>
>>>
>>>> Any ideas?
>>>>
>>>>
>>>>
>>> Honza
>>>
>>> --
>>> Jan Cholasta
>>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to