Sean Conley - US wrote:
> Sorry for the redundancy but I thought it would be better to start a new
> thread since I am really asking a different question at this point.
> We are trying to stand up an IPA instance using real certs (wildcard)
> for our domain, so that external users get a valid cert when coming the
> the https UI.  I am trying to follow the steps given in this
> thread: 
>  It seems no matter what I do, I end up with: “full certificate chain is
> not present in /etc/ipa/pki/”.  Has this process been
> documented more completely anywhere?  Is this still a valid process?
> I know that there is now an —external-ca option to ipa-server-install,
> but I have questions about the CSR process from my CA and they are not
> being very responsive.  I have also been told that this option would
> require a reseller arrangement potentially costing a lot of money…  we
> don’t want to be in the CA business…  we just want our external users to
> be able to securely access IPA.
> Thanks again in advance for any assistance.

I think you misunderstand what the external-ca option does. This
generates a CSR that you hand off to an external CA which issues a
subordinate CA certificate. This isn't what you want AFAICT.

Start reading here

and it sounds like this is the configuration you want:


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to