I've now set up a test box using exactly the same install command, SSL certificate etc...
The /etc/ipa/ca.crt contains only 3 certificates but they are not CA certificates that were included in the PKCS12 file: [root@dupa temp]# for i in {1..3}; do echo cert${i}; openssl x509 -in cert${i} -noout -text | grep -i 'issuer:\|subject:'; done cert1 Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority cert2 Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority cert3 Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority Subject: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2 So out of the box, the certificate "USERTrust RSA Certification Authority" is listed there twice. [root@dupa temp]# certutil -L -d /etc/pki/nssdb/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI AddTrust External CA Root - AddTrust AB ,, USERTrust RSA Certification Authority - AddTrust AB ,, Gandi Standard SSL CA 2 - The USERTRUST Network C,, [root@dupa temp]# certutil -L -d /etc/httpd/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI GandiWildcardIPA u,u,u AddTrust External CA Root - AddTrust AB ,, USERTrust RSA Certification Authority - AddTrust AB ,, Gandi Standard SSL CA 2 - The USERTRUST Network C,, [root@dupa temp]# certutil -L -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI GandiWildcardIPA u,u,u AddTrust External CA Root - AddTrust AB ,, USERTrust RSA Certification Authority - AddTrust AB ,, Gandi Standard SSL CA 2 - The USERTRUST Network C,, Please note, in the databases the certificate "USERTrust RSA Certification Authority - AddTrust AB" is only listed once. How do I fix our production installation? -- Kind regards, Peter Pakos
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project