I want to implement and IPA server and Sync it with my 2012 ms ad. While
things go well using an internal CA in each server, I came across kind of
problem when I want integrate solution with my PKI which is already serving
the AD server.
I can install IPA with --external-ca switch. but when it comes to Sync.
agreement it says "TLS error -8179:Peer's Certificate issuer is not
The architecture is:
- There is a root CA named contoso.com
- There is a subordinate CA named local.dc
- The certificates of AD and IPA server are both issued by local.dc
- IPA's certificate is issued based on the CSR file generated by
- I have copied both certificates in /etc/openldap/certs directory and the
rest was same as what i did in the internal CA scenario.
while the FreeIPA docs say both servers must have internal CA's i need to
integrate solution with available PKI.
I would be glad hear suggestions if this scenario is applicable and what is
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project