Hi Peter,

On 18.1.2016 01:32, Peter Pakos wrote:
Hi,

I have FreeIPA 4.2 (CA-ful) install on Centos 7.2 with 3rd party SSL
certificates installed for HTTP/LDAP.

When I run "ipa-certupdate" I can see that the 3rd party root
certificates are being removed from databases (/etc/httpd/alias,
/etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-added (apart from
/etc/pki/pki-tomcat/alias).

Without the 3rd party root certificates in /etc/pki/pki-tomcat/alias,
the service pki-tomcatd is unable to start up.

This is the complete process I'm following to install 3rd party
certificate (please let me know if I'm doing anything wrong):

### 3rd party SSL certificate install ##################################

# Gandi *.ipa.wandisco.com certificate chain
# AddTrust.pem -> USERTrustRSAAddTrustCA.pem -> GandiStandardSSLCA2.pem
-> star.ipa.wandisco.com.crt

$ openssl verify -verbose -CAfile <(cat AddTrust.pem
USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem)
star.ipa.wandisco.com.crt
star.ipa.wandisco.com.crt: OK

# Bug in ipa-cacert-manage, comment out lines 349-352
$ vim
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py

$ ipa-cacert-manage install AddTrust.pem -n AddTrust -t C,C,C
$ ipa-cacert-manage install USERTrustRSAAddTrustCA.pem -n
USERTrustRSAAddTrustCA -t C,C,C
$ ipa-cacert-manage install GandiStandardSSLCA2.pem -n
GandiStandardSSLCA2 -t C,C,C

# Add root certificates to databases <- THIS IS WHERE THE ABOVE ROOT
CERTIFICATES SHOULD BE INSTALLED IN /etc/pki/pki-tomcat/alias BUT THEY
AREN'T
$ ipa-certupdate

# Create PKCS12 certificate file including private key and full chain
$ openssl pkcs12 -export -out star.ipa.wandisco.com.pfx -inkey
star.ipa.wandisco.com.key -in star.ipa.wandisco.com.crt -certfile <(cat
AddTrust.pem USERTrustRSAAddTrustCA.pem GandiStandardSSLCA2.pem) -name
'GandiWildcardIPA'

# Install PKCS12 certificate to LDAP and HTTP databases:
$ pk12util -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ -i
star.ipa.wandisco.com.pfx
$ pk12util -d /etc/httpd/alias/ -i star.ipa.wandisco.com.pfx

# Stop IPA
$ ipactl stop

# Edit /etc/dirsrv/slapd-IPA-WANDISCO-COM/dse.ldif to point dirsrv to
new certificate
# Replace:
nsSSLPersonalitySSL: Server-Cert
# with:
nsSSLPersonalitySSL: GandiWildcardIPA

# Edit /etc/httpd/conf.d/nss.conf to point httpd to new certificate
# Replace:
NSSNickname Server-Cert
# with:
NSSNickname GandiWildcardIPA

# Start IPA
$ ipactl start

#####################################################################

In order to fix this, I have to manually add root certificates to the
database:

$ certutil -A -d /etc/pki/pki-tomcat/alias/ -n AddTrust -t C,C,C -a <
AddTrust.pem
$ certutil -A -d /etc/pki/pki-tomcat/alias/ -n USERTrustRSAAddTrustCA -t
C,C,C -a < USERTrustRSAAddTrustCA.pem
$ certutil -A -d /etc/pki/pki-tomcat/alias/ -n GandiStandardSSLCA2 -t
C,C,C -a < GandiStandardSSLCA2.pem

Should this not be done automatically by ipa-certupdate?

It should: <https://fedorahosted.org/freeipa/ticket/5600>.


Are the above steps correct for installing 3rd party certificates in
FreeIPA 4.2? Should I change anything?

Looks OK to me.


We are planning to move these nodes into production very soon, any help
would be much appreciated!

Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to