Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP

Tue, 26 Apr 2016 06:09:34 -0700 

This is a follow-up to 
https://www.redhat.com/archives/freeipa-users/2016-January/msg00023.html

From: Jan Cholasta <jcholast redhat com>
                           Peter Pakos <peter pakos pl>, freeipa-users redhat 
com
    My question is, what is the correct way of installing a 3rd party
    certificate for HTTP/LDAP that will actually work?


1. Install the CA certificate chain of the issuer of the 3rd party certificate 
to IPA using "ipa-cacert-manage install"

2. Run "ipa-certupdate" to update CA certificate related IPA configuration.

3. Manually import the server certificate into the /etc/dirsrv/slapd-REALM NSS 
database, configure the correct nickname in LDAP in the nsSSLPersonalitySSL 
attribute of cn=RSA,cn=encryption,cn=config and restart DS.

4. Manually import the server certificate into the /etc/httpd/alias NSS 
database, configure the correct nickname in /etc/httpd/conf.d/nss.conf using 
the NSSNickname directive and restart httpd.


I am in a similar situation and have some follow-up questions:

ad1:  If I run ipa-cacert-manage install 
--external-cert-file=/path/to/external_ca_certificate-chain, does this simply 
add the chain as an extra root ca without destroying the existing ipa-ca?

ad3: I assume the import is : certutil -A -d /etc/dirsrv/slapd-REALM.  How do I 
configure the ldap attribute?
Is it just a matter of make the change in /etc/dirsrv/ldap*/dse.ldif  and 
restart?

Also:
Where is the private key in all this?  I generate a csr with openssl, send csr 
to ca, receive certificate, but I don't see any option in certutil to specify 
the private key. I did find an instruction in importing pkcs12 into nssdb, is 
this what is meant here?


Our setup:
  4 ipa servers, rhel7.2,  ipa ping ="IPA server version 4.2.0. API version 
2.156"
  mix of rhel6 (ipa-client 3.0.xx) and rhel7.1 (ipa-client 4.1.xx),







Regards,
Bjarne Blichfeldt




















[cid:[email protected]]

JN Data A/S

*

Havsteensvej 4

*

4000 Roskilde


Telefon 63 63 63 63/ Fax 63 63 63 64


www.jndata.dk


[cid:[email protected]]

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to