Re: [Freeipa-users] CA-less install - problem with CA certificates - PLEASE HELP!

[Peter Pakos]

I've now set up a test box using exactly the same install command, SSL
certificate etc...

The /etc/ipa/ca.crt contains only 3 certificates but they are not CA
certificates that were included in the PKCS12 file:

[root@dupa temp]# for i in {1..3}; do echo cert${i}; openssl x509 -in
cert${i} -noout -text | grep -i 'issuer:\|subject:'; done
cert1
        Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
        Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
cert2
        Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network,
CN=AddTrust External CA Root
        Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
cert3
        Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
        Subject: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2


So out of the box, the certificate "USERTrust RSA Certification
Authority" is listed there twice.

[root@dupa temp]# certutil -L -d /etc/pki/nssdb/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

AddTrust External CA Root - AddTrust AB                      ,,
USERTrust RSA Certification Authority - AddTrust AB          ,,
Gandi Standard SSL CA 2 - The USERTRUST Network              C,,

[root@dupa temp]# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

GandiWildcardIPA                                             u,u,u
AddTrust External CA Root - AddTrust AB                      ,,
USERTrust RSA Certification Authority - AddTrust AB          ,,
Gandi Standard SSL CA 2 - The USERTRUST Network              C,,

[root@dupa temp]# certutil -L -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

GandiWildcardIPA                                             u,u,u
AddTrust External CA Root - AddTrust AB                      ,,
USERTrust RSA Certification Authority - AddTrust AB          ,,
Gandi Standard SSL CA 2 - The USERTRUST Network              C,,


Please note, in the databases the certificate "USERTrust RSA
Certification Authority - AddTrust AB" is only listed once.

How do I fix our production installation?

-- 

Kind regards,
 Peter Pakos

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project