Günther J. Niederwimmer wrote:
Hello Rob,

Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden:
Günther J. Niederwimmer wrote:

Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden:
Günther J. Niederwimmer wrote:
I found any Help for the IPA Certificate but I found no way to import
I like to create a webserver with a owncloud virtualhost and other..

But it is for me not possible to create the /etc/httpd/alias correct ?

I found this in IPA DOCS

certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt

but with this command line I have a Error /etc/ipa/ca.crt have wrong
format ?

Have any a link with a working example

Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled
clients so the documentation is written from that perspective.


You can grab a copy from any enrolled system, including an IPA Master.
Otherwise the command looks ok assuming you were sitting in
/etc/httpd/alias when the command was executed (-d .).

Yes ;-).
but certutil mean it is a wrong format from the Certificate

$ mkdir /tmp/testdb && cd /tmp/testdb
$ certutil -N -d .
$ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt

On my system I have this message after install ca.crt

p11-kit: objects of this type cannot be created ?
is this correct ?

I'm not sure.

A other question, have I to change the Attribute (?), IPA-server create /
IMPORT this ca.crt with -t "CT,C,C"

It isn't super important. The order of those fields is SSL, S/MIME, code-signing. Chances are S/MIME will never be used and code-signing is used in some older releases but only once at install, so not having those set isn't a big deal.

If you want things to be consistent you can use certutil -M -d . -t CT,C,C -n 'EXAMPLE.COM IPA CA'


$ certutil -L -d .

Certificate Nickname                                         Trust


EXAMPLE.COM IPA CA                                           CT,,

I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You
can use openssl for that:

$ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt

Something is wrong on my system !!

for me it is not possible to have on a enrolled ipa-client a working
webserver (apache) with mod_NSS

The last Tests apache mean it is the wrong "passwd" for the DB and don't

So now I start again with a new clean /etc/httpd/alias

Not knowing how you created the database or what your nss.conf looks
like it's hard to say what is going on. If you set a NSS database
password then you need to tell mod_nss about it.

Typically you'd set this in nss.conf:

NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf"

and create /etc/httpd/conf/password.conf with contents like:


Ensure that the file is owned by apache:apache and mode 0400.

This is the best INFO for this file ;-)


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to