mitra dehghan wrote: > hello, > I want to implement and IPA server and Sync it with my 2012 ms ad. While > things go well using an internal CA in each server, I came across kind > of problem when I want integrate solution with my PKI which is already > serving the AD server. > I can install IPA with --external-ca switch. but when it comes to Sync. > agreement it says "TLS error -8179:Peer's Certificate issuer is not > recognized." > > The architecture is: > - There is a root CA named contoso.com <http://contoso.com> > - There is a subordinate CA named local.dc > - The certificates of AD and IPA server are both issued by local.dc > - IPA's certificate is issued based on the CSR file generated by > ipa-server-install > - I have copied both certificates in /etc/openldap/certs directory and > the rest was same as what i did in the internal CA scenario. > > while the FreeIPA docs say both servers must have internal CA's i need > to integrate solution with available PKI. > I would be glad hear suggestions if this scenario is applicable and what > is wrong there. > thank you
389-ds doesn't use /etc/openldap/certs. What cert are you passing in when creating the winsync agreement using ipa-replica-manage? You may need/want to add these certs to the IPA 389-ds NSS database prior to setting up the agreement. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project