The solution was to add to root certificate to tomcat: /var/lib/pki/pki-tomcat/alias/ Now everything seems to work.
Regards Bjarne From: [email protected] [mailto:[email protected]] On Behalf Of Bjarne Blichfeldt Sent: 23. juni 2016 13:40 To: [email protected] Subject: Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP (again) Following this thread from January: https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html I am trying to accomplish the same, but seems to be stuck. My environment is: # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) # ipa ping ------------------------------------------- IPA server version 4.2.0. API version 2.156 ------------------------------------------- # rpm -qa | grep ipa-server ipa-server-4.2.0-15.el7_2.15.x86_64 As the OP I have both a RootCA and a subCA. But I can't figure out how to install them. ipa-cacert-manage does not work, known bug. I am testing by changing the server certificate for ldaps on an ipa replica and then run "ldapwhoami" and "ipa-replica-manage -v list" from the master ipa against the replica, but the replica server certificate is never accepted due to missing root certificate. The problem is how to install the root certificates. I have tried: Copy the root certificates to /etc/pki/ca-trust/source/anchors and run update-ca-trust - no go. Installed the root Ca's in all the nssdb I could think of: DIR="/etc/httpd/alias /etc/dirsrv/slapd-DNREST-DCBSYS-NET /etc/ipa/nssdb /etc/pki/nssdb" for dir in $DIR ; do certutil -d $dir -A -n ECBsubCA -i subCA-sha256.pem -t CT,T,T certutil -d $dir -A -n ECBrootCA -i rootCA-sha256.pem -t CT,T,T done Also no go. I am out of ideas now. -- Regards, Bjarne
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
