On Tue, Nov 03, 2015 at 06:00:52PM +0000, Sean Conley - US wrote: > Sorry for the redundancy but I thought it would be better to start > a new thread since I am really asking a different question at this > point. > > We are trying to stand up an IPA instance using real certs > (wildcard) for our domain, so that external users get a valid cert > when coming the the https UI. I am trying to follow the steps > given in this thread: > https://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html. > It seems no matter what I do, I end up with: "full certificate > chain is not present in /etc/ipa/pki/example.org.p12". Has this > process been documented more completely anywhere? Is this still a > valid process? > > I know that there is now an -external-ca option to > ipa-server-install, but I have questions about the CSR process > from my CA and they are not being very responsive. I have also > been told that this option would require a reseller arrangement > potentially costing a lot of money... we don't want to be in the > CA business... we just want our external users to be able to > securely access IPA. > If you only want publicly trusted certs for HTTP and LDAP you should not use --external-ca. The CSR generated during ipa-server-install when that option is given is for a CA certifiate, not a server (leaf) certificate.
For HTTP / LDAP certificate(s) FreeIPA does not generate the CSR for you. But it sounds like you already have your wildcard cert? If so, then you just need to install it using ipa-server-certinstall or the --http_pkcs12 and/or --dirsrv_pkcs12 options in ipa-server-install. HTH, Fraser > Thanks again in advance for any assistance. > > Sean > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project