Hi Günther, I wrote this wrapper last year, maybe this will help.
https://github.com/uZer/rootools/blob/master/pki/freeipa/gencerts.sh If you use cnames: ================================================================== $ ipa host-add cname.domain --force $ ipa service-add service/fqdn $ ipa service-add service/cname.domain --force $ ipa service-add-host service/cname.domain --host fqdn In nss.conf ================================================================== #NSSPassPhraseDialog builtin NSSPassPhraseDialog file:/etc/apache2/password.conf In your virtual host: ================================================================== NSSEngine on NSSNickname certifnickname NSSCertificateDatabase /path/to/db NSSProtocol TLSv1.1,TLSv1.2 NSSVerifyClient none # Update this with current recommended ciphersuites NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha ... Hope this is still correct, feel free to push request ;) Regards, -- Youenn Piolet [email protected] 2016-06-21 19:41 GMT+02:00 Rob Crittenden <[email protected]>: > Günther J. Niederwimmer wrote: > >> Hello Rob, >> >> Am Mittwoch, 1. Juni 2016, 09:54:58 CEST schrieb Rob Crittenden: >> >>> Günther J. Niederwimmer wrote: >>> >>>> Hello, >>>> >>>> Am Dienstag, 31. Mai 2016, 11:06:09 CEST schrieb Rob Crittenden: >>>> >>>>> Günther J. Niederwimmer wrote: >>>>> >>>>>> Hello >>>>>> I found any Help for the IPA Certificate but I found no way to import >>>>>> the >>>>>> IPA CA ? >>>>>> I like to create a webserver with a owncloud virtualhost and other.. >>>>>> >>>>>> But it is for me not possible to create the /etc/httpd/alias correct ? >>>>>> >>>>>> I found this in IPA DOCS >>>>>> >>>>>> certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt >>>>>> >>>>>> but with this command line I have a Error /etc/ipa/ca.crt have wrong >>>>>> format ? >>>>>> >>>>>> Have any a link with a working example >>>>>> >>>>> >>>>> Does the file /etc/ipa/ca.crt exist? It is installed there on enrolled >>>>> clients so the documentation is written from that perspective. >>>>> >>>> >>>> Yes. >>>> >>>> You can grab a copy from any enrolled system, including an IPA Master. >>>>> Otherwise the command looks ok assuming you were sitting in >>>>> /etc/httpd/alias when the command was executed (-d .). >>>>> >>>> >>>> Yes ;-). >>>> but certutil mean it is a wrong format from the Certificate >>>> >>> >>> $ mkdir /tmp/testdb && cd /tmp/testdb >>> $ certutil -N -d . >>> $ certutil -A -d . -n 'EXAMPLE.COM IPA CA' -t CT,, -a < /etc/ipa/ca.crt >>> >> >> On my system I have this message after install ca.crt >> >> p11-kit: objects of this type cannot be created ? >> is this correct ? >> > > I'm not sure. > > A other question, have I to change the Attribute (?), IPA-server create / >> IMPORT this ca.crt with -t "CT,C,C" >> > > It isn't super important. The order of those fields is SSL, S/MIME, > code-signing. Chances are S/MIME will never be used and code-signing is > used in some older releases but only once at install, so not having those > set isn't a big deal. > > If you want things to be consistent you can use certutil -M -d . -t CT,C,C > -n 'EXAMPLE.COM IPA CA' > > rob > > > >> $ certutil -L -d . >>> >>> Certificate Nickname Trust >>> Attributes >>> >>> SSL,S/MIME,JAR/XPI >>> >>> EXAMPLE.COM IPA CA CT,, >>> >>> I guess look at what is in /etc/ipa/ca.crt and ensure it is valid. You >>> can use openssl for that: >>> >>> $ openssl x509 -text -inform PEM -in /etc/ipa/ca.crt >>> >>> Something is wrong on my system !! >>>> >>>> for me it is not possible to have on a enrolled ipa-client a working >>>> webserver (apache) with mod_NSS >>>> >>>> The last Tests apache mean it is the wrong "passwd" for the DB and don't >>>> start? >>>> >>>> So now I start again with a new clean /etc/httpd/alias >>>> >>> >>> Not knowing how you created the database or what your nss.conf looks >>> like it's hard to say what is going on. If you set a NSS database >>> password then you need to tell mod_nss about it. >>> >>> Typically you'd set this in nss.conf: >>> >>> NSSPassPhraseDialog "file:/etc/httpd/conf/password.conf" >>> >>> and create /etc/httpd/conf/password.conf with contents like: >>> >>> internal:SecretPassword123 >>> >>> Ensure that the file is owned by apache:apache and mode 0400. >>> >> >> This is the best INFO for this file ;-) >> >> Thanks >> >> > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
