Hi,

I have FreeIPA 4.2 (CA-ful) install on Centos 7.2 with 3rd party SSL certificates installed for HTTP/LDAP.

When I run "ipa-certupdate" I can see that the 3rd party root certificates are being removed from databases (/etc/httpd/alias, /etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-added (apart from /etc/pki/pki-tomcat/alias).

Without the 3rd party root certificates in /etc/pki/pki-tomcat/alias, the service pki-tomcatd is unable to start up.

This is the complete process I'm following to install 3rd party certificate (please let me know if I'm doing anything wrong):

### 3rd party SSL certificate install ##################################

# Gandi *.ipa.wandisco.com certificate chain
# AddTrust.pem -> USERTrustRSAAddTrustCA.pem -> GandiStandardSSLCA2.pem -> star.ipa.wandisco.com.crt

$ openssl verify -verbose -CAfile <(cat AddTrust.pem USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem) star.ipa.wandisco.com.crt
star.ipa.wandisco.com.crt: OK

# Bug in ipa-cacert-manage, comment out lines 349-352
$ vim /usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py

$ ipa-cacert-manage install AddTrust.pem -n AddTrust -t C,C,C
$ ipa-cacert-manage install USERTrustRSAAddTrustCA.pem -n USERTrustRSAAddTrustCA -t C,C,C $ ipa-cacert-manage install GandiStandardSSLCA2.pem -n GandiStandardSSLCA2 -t C,C,C

# Add root certificates to databases <- THIS IS WHERE THE ABOVE ROOT CERTIFICATES SHOULD BE INSTALLED IN /etc/pki/pki-tomcat/alias BUT THEY AREN'T
$ ipa-certupdate

# Create PKCS12 certificate file including private key and full chain
$ openssl pkcs12 -export -out star.ipa.wandisco.com.pfx -inkey star.ipa.wandisco.com.key -in star.ipa.wandisco.com.crt -certfile <(cat AddTrust.pem USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem) -name 'GandiWildcardIPA'

# Install PKCS12 certificate to LDAP and HTTP databases:
$ pk12util -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -i star.ipa.wandisco.com.pfx
$ pk12util -d /etc/httpd/alias/ -i star.ipa.wandisco.com.pfx

# Stop IPA
$ ipactl stop

# Edit /etc/dirsrv/slapd-IPA-WANDISCO-COM/dse.ldif to point dirsrv to new certificate
# Replace:
nsSSLPersonalitySSL: Server-Cert
# with:
nsSSLPersonalitySSL: GandiWildcardIPA

# Edit /etc/httpd/conf.d/nss.conf to point httpd to new certificate
# Replace:
NSSNickname Server-Cert
# with:
NSSNickname GandiWildcardIPA

# Start IPA
$ ipactl start

#####################################################################

In order to fix this, I have to manually add root certificates to the database:

$ certutil -A -d /etc/pki/pki-tomcat/alias/ -n AddTrust -t C,C,C -a < AddTrust.pem $ certutil -A -d /etc/pki/pki-tomcat/alias/ -n USERTrustRSAAddTrustCA -t C,C,C -a < USERTrustRSAAddTrustCA.pem $ certutil -A -d /etc/pki/pki-tomcat/alias/ -n GandiStandardSSLCA2 -t C,C,C -a < GandiStandardSSLCA2.pem

Should this not be done automatically by ipa-certupdate?

Are the above steps correct for installing 3rd party certificates in FreeIPA 4.2? Should I change anything?

We are planning to move these nodes into production very soon, any help would be much appreciated!

--
Kind regards,
 Peter Pakos

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to