On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik <pvobo...@redhat.com> wrote:

> On 07/31/2016 07:45 AM, Richard Harmonson wrote:
> > I having challenges resuming ipa-server-install --external-ca. I am
> reasonably
> > confident I am not providing the right certificate and/or format from my
> > off-line root CA using 389 and Dogtag.
> >
> > Does anyone have instructions on how to accomplish the task of exporting
> the
> > correct certificates in the expected format?
> >
> > Thank you.
> >
> The IPA procedure with prerequisites is described at
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca
> Or are you rather asking for specific PKI instructions?
> e.g.
> *
> http://pki.fedoraproject.org/wiki/PKI_Certificate_CLI#Submitting_a_Certificate_Request
> *
> http://pki.fedoraproject.org/wiki/CA_Certificate_Profiles#caCACert:_Manual_Certificate_Manager_Signing_Certificate_Enrollment
> --
> Petr Vobornik

I read the suggested document, previously, but its an excellent shared
reference for this discussion.

I have successfully submitted and approved the csr. Dogtag provides a web
UI which provides a Base 64 encoded certificate or Base 64 encoded
certificate with CA certificate chain in pkcs7 format.

For the servercert2010601.pem (the signed CSR request signing CA
certificate 0x9) referenced in the article, do I  copy and paste
(-----BEGIN .. END-----) the base 64 (not pkcs7) to a file using *.pem then
submit using one of the two --external-cert-file?

For the cacert.pem (the Root CA signing certificate 0x1) referenced in the
article, do I copy and paste the base 64 with ca in pkcs7 format to a file
using *.pkcs7 (or pem or does it matter?) then submit using the second

Your guidance is much appreciated.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to