YES!  Thank you so much.

On 08/02/2016 08:19 AM, Florence Blanc-Renaud wrote:
> On 08/02/2016 03:17 PM, Ian Harding wrote:
>> Hello!
>> I have been using FreeIPA for a while in our network with 6 replicas and
>> it's been working great.  I seem to have made a wee mistake though and
>> I'd appreciate some help.
>> I did this:
>> on one server because I had a new cert for our internal domain and I
>> thought it might be nice to use the same cert for all our internal web
>> services.
>> It worked fine but now when I'm on that server I get
>> SEC_ERROR_UNTRUSTED_ISSUER when I run ipa commands.  Is there any way I
>> can roll this back, or make it work as is?
>> Thanks!
>> -Ian
> Hi Ian,
> if the certificate that you installed was issued by a CA not known by
> IPA (let's call him the issuer), then you need to add this issuer cert
> first using:
> ipa-cacert-manage install <issuer certificate file> -n nickname -t C,,
> kinit admin
> ipa-certupdate
> You can check that the issuer cert is properly installed in
> /etc/httpd/alias and /etc/ipa/nssdb with:
> certutil -L -d /etc/httpd/alias
> certutil -L -d /etc/ipa/nssdb
> where it should appear with C,, flags
> Hope this helps,
> Flo.

Ian Harding
IT Director
Brown Paper Tickets
1-800-838-3006 ext 7186

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to