On 10.1.2016 22:21, Peter Pakos wrote: > On 04/01/2016 12:44, Jan Cholasta wrote: >>> My question is, what is the correct way of installing a 3rd party >>> certificate for HTTP/LDAP that will actually work? >> >> 1. Install the CA certificate chain of the issuer of the 3rd party >> certificate to IPA using "ipa-cacert-manage install" >> >> 2. Run "ipa-certupdate" to update CA certificate related IPA configuration. >> >> 3. Manually import the server certificate into the >> /etc/dirsrv/slapd-REALM NSS database, configure the correct nickname in >> LDAP in the nsSSLPersonalitySSL attribute of >> cn=RSA,cn=encryption,cn=config and restart DS. >> >> 4. Manually import the server certificate into the /etc/httpd/alias NSS >> database, configure the correct nickname in /etc/httpd/conf.d/nss.conf >> using the NSSNickname directive and restart httpd. > > Is there any chance you can confirm the exact commands I need to run to > accomplish the above steps? I don't want to risk breaking our production > servers. > > BTW, do we have an up-to-date documentation about this process in FreeIPA 4.2? > I failed to find one. > > Many thanks in advance.
Hello, I'm attaching two bash script I used to use Let's Encrypt certificate for IPA HTTPd. You can take some inspiration out of it, just ignore calls to "letsencrypt" tool which are there for periodic certificate re-generation. -- Petr^2 Spacek
initial-le-config.sh
Description: application/shellscript
renew.sh
Description: application/shellscript
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project