The solution was to add to root certificate to tomcat:  
Now everything seems to work.


[] On Behalf Of Bjarne Blichfeldt
Sent: 23. juni 2016 13:40
Subject: Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP (again)

Following this thread from January:
I am trying to accomplish the same, but seems to be stuck.

My environment is:
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

# ipa ping
IPA server version 4.2.0. API version 2.156
# rpm -qa | grep ipa-server

As the OP I have both a RootCA and a subCA. But I can't figure out how to 
install them. ipa-cacert-manage does not work, known bug.

I am testing by changing the server certificate for ldaps on an ipa replica and 
then run "ldapwhoami" and "ipa-replica-manage -v list" from the master ipa 
against the replica, but the replica server certificate is never accepted due 
to missing root certificate.

The problem is how to install the root certificates.
I have tried:
Copy the root certificates to /etc/pki/ca-trust/source/anchors and run 
update-ca-trust - no go.

Installed the root Ca's in all the nssdb I could think of:
DIR="/etc/httpd/alias  /etc/dirsrv/slapd-DNREST-DCBSYS-NET /etc/ipa/nssdb  
for dir in $DIR ; do
        certutil -d $dir -A -n ECBsubCA  -i subCA-sha256.pem  -t CT,T,T
        certutil -d $dir -A -n ECBrootCA  -i rootCA-sha256.pem -t CT,T,T

Also no go.

I am out of ideas now.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to