#yiv2229194538 #yiv2229194538 -- _filtered #yiv2229194538 
{font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv2229194538 
{panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv2229194538 
{font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv2229194538 
{font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;} _filtered #yiv2229194538 
{font-family:Consolas;panose-1:2 11 6 9 2 2 4 3 2 4;} _filtered #yiv2229194538 
{panose-1:2 5 6 4 5 5 5 2 2 4;} _filtered #yiv2229194538 
{font-family:Menlo;panose-1:0 0 0 0 0 0 0 0 0 0;}#yiv2229194538 #yiv2229194538 
p.yiv2229194538MsoNormal, #yiv2229194538 li.yiv2229194538MsoNormal, 
#yiv2229194538 div.yiv2229194538MsoNormal 
{margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv2229194538 a:link, 
#yiv2229194538 span.yiv2229194538MsoHyperlink 
{color:blue;text-decoration:underline;}#yiv2229194538 a:visited, #yiv2229194538 
span.yiv2229194538MsoHyperlinkFollowed 
{color:purple;text-decoration:underline;}#yiv2229194538 pre 
{margin:0in;margin-bottom:.0001pt;font-size:10.0pt;}#yiv2229194538 
p.yiv2229194538MsoAcetate, #yiv2229194538 li.yiv2229194538MsoAcetate, 
#yiv2229194538 div.yiv2229194538MsoAcetate 
{margin:0in;margin-bottom:.0001pt;font-size:8.0pt;}#yiv2229194538 
span.yiv2229194538HTMLPreformattedChar {font-family:Consolas;}#yiv2229194538 
p.yiv2229194538msonormal, #yiv2229194538 li.yiv2229194538msonormal, 
#yiv2229194538 div.yiv2229194538msonormal 
{margin-right:0in;margin-left:0in;font-size:12.0pt;}#yiv2229194538 
p.yiv2229194538msochpdefault, #yiv2229194538 li.yiv2229194538msochpdefault, 
#yiv2229194538 div.yiv2229194538msochpdefault 
{margin-right:0in;margin-left:0in;font-size:12.0pt;}#yiv2229194538 
span.yiv2229194538msohyperlink {}#yiv2229194538 
span.yiv2229194538msohyperlinkfollowed {}#yiv2229194538 
span.yiv2229194538htmlpreformattedchar {}#yiv2229194538 
span.yiv2229194538emailstyle19 {}#yiv2229194538 p.yiv2229194538msonormal1, 
#yiv2229194538 li.yiv2229194538msonormal1, #yiv2229194538 
div.yiv2229194538msonormal1 
{margin:0in;margin-bottom:.0001pt;font-size:12.0pt;color:black;}#yiv2229194538 
span.yiv2229194538msohyperlink1 
{color:blue;text-decoration:underline;}#yiv2229194538 
span.yiv2229194538msohyperlinkfollowed1 
{color:purple;text-decoration:underline;}#yiv2229194538 
span.yiv2229194538htmlpreformattedchar1 {color:black;}#yiv2229194538 
span.yiv2229194538emailstyle191 {color:#1F497D;}#yiv2229194538 
p.yiv2229194538msochpdefault1, #yiv2229194538 li.yiv2229194538msochpdefault1, 
#yiv2229194538 div.yiv2229194538msochpdefault1 
{margin-right:0in;margin-left:0in;font-size:10.0pt;}#yiv2229194538 
span.yiv2229194538BalloonTextChar {}#yiv2229194538 
span.yiv2229194538EmailStyle33 {color:#1F497D;}#yiv2229194538 
.yiv2229194538MsoChpDefault {font-size:10.0pt;} _filtered #yiv2229194538 
{margin:1.0in 1.0in 1.0in 1.0in;}#yiv2229194538 div.yiv2229194538WordSection1 
{}#yiv2229194538    


This issue has now gotten much worse and we are unable to enroll clients. We 
are getting an error saying the server does not have a cert:
Do you want download the CA cert from http://ipa1.example.com/ipa/config/ca.crt 
?
(this is INSECURE) [no]: yes
Cannot obtain CA certificate
'http://ipa1.example.com/ipa/config/ca.crt' doesn't have a certificate.
Can we somehow replace our certs and revert back to the original one's issue by 
the dogtag server so we have a standard configuration or is there a clean way 
to fix this issue?
Thank you



I was told the GoDaddy certs were just imported using certutil -a but in 
looking at the certs the original certs were actually replaced. This is only in 
/etc/dirsrv/slapd-REALM-COM:  Certificate Nickname                              
           Trust Attributes                                                     
        SSL,S/MIME,JAR/XPI  GD_CA                                               
         CT,C,CNWF_GD                                                       
u,u,u    The certs in /etc/dirsrv/slapd-PKI-CA are still the originals:  
[root@ipa2-corp ~]# certutil -L -d /etc/dirsrv/slapd-PKI-IPA/  Certificate 
Nickname                                         Trust Attributes               
                                              SSL,S/MIME,JAR/XPI  IPADOMAIN.COM 
IPA CA                                      CT,C,Server-Cert                    
                              u,u,u   I am not even sure how this even works or 
if it can be fixed? Should/Can we go back to using the original dogtag certs?  
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Wednesday, March 04, 2015 2:57 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Need to replace cert for ipa servers On 03/04/2015 
04:32 PM, sipazzo wrote:
Good afternoon, we have a freeipa 3.0.42 installation running on redhead 6.6 
with a mix of rhel 5, rhel6 and Solaris clients. It was originally configured 
with the built in dogtag certificate CA and then one of my co-workers added our 
GoDaddy certificate to the certificate bundle. My understanding is this cert is 
used for communication between the ipa servers as well as the clients are also 
configured to trust the GoDaddy certificate. We recently had to get a new 
GoDaddy cert so our old one is revoked. I need to figure out how to either 
replace the existing revoked cert with the new one or add the new one to the 
bundle and then remove the revoked certificate so as not to break anything. Any 
help is appreciated. I am not strong with certificates so the more detail you 
can give the better.Thank you.  
You say it was running with the self signed IPA CA and than GoDaddy cert was 
added to the bundle. How was it added?
IPA does not use certs for communication between the instances. It uses 
Kerberos. I am not sure the DoDaddy cert you added is even used in some way by 
IPA.
It seems that your GoDaddy cert is an orthogonal trust so if you replaced the 
main key pair then you just need to distribute your new GoDaddy cert to the 
clients as you did on the first place.


-- Thank you,Dmitri Pal  Sr. Engineering Manager IdM portfolioRed Hat, Inc.    

  
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to