On 09/29/2016 11:43 AM, beeth beeth wrote:
Thanks for the quick response Florence!

My goal is the use a 3rd party certificate(such as Verisign cert) for
Web UI(company security requirement), in fact we are not required to use
3rd party certificate for the LDAP server, but as I mentioned earlier, I
couldn't make the new Verisign cert to work with the Web UI, without
messing up the IPA function(after I updated the nss.conf to use the new
cert in the /etc/httpd/alias db, the ipa_client_install failed). So I
tried to follow the Redhat instruction, to see if I can get the Verisign
cert installed at the most beginning, without using FreeIPA's
own/default certificate), but I got the CSR question.

I did install IPA without a CA, by following the instruction at
but failed to restart HTTPD. When and how can I provide the 3rd-party
certificate? Could you please point me a document about the detail?

you need first to clarify if you want FreeIPA to act as a CA or not. The setup will depend on this choice.

- option a) FreeIPA with an embedded CA:
you can install FreeIPA with a self-signed CA, then follow the instructions at https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP in order to replace the WebUI certificate. Please note that there were some bugs in ipa-server-certinstall, preventing httpd from starting (Ticket #4786 [1]). The workaround is to manually update nss.conf (as you did) and manually import the CA certificate into /etc/pki/pki-tomcat/alias, for instance with
$ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname -t C,,

- option b) Free IPA without CA
the installation instructions are in Installing without a CA [2]. You will provide the certificate that will be used by both the LDAP server and the WebUI in the command options.


[1] https://fedorahosted.org/freeipa/ticket/4786
[2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca

Thanks again!

On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud <f...@redhat.com
<mailto:f...@redhat.com>> wrote:


    The instructions that you followed are used when you want to install
    FreeIPA with an embedded Certificate Authority (ie FreeIPA is able
    to issue certificates), and FreeIPA CA is signed by a 3rd party CA.

    Maybe your goal is just to use a 3rd party certificate for IPA's
    LDAP server and Web UI. In this case, you do not need to install
    FreeIPA with an embedded CA. You can follow the instructions for
    Installing without a CA [1], where you will need to provide a
    3rd-part certificate.

    Hope this clarifies,


    On 09/29/2016 11:03 AM, beeth beeth wrote:

        I am trying to set up IPA servers with Verisign certificate, so
        that the
        Admin Web console can use public signed certificate to meet
        security requirement. But when I try to follow Red Hat's
        instructions at

        2.3.5. Installing a Server with an External CA as the Root CA,
        at the first step it says to generate CSR by adding the
        option to the ipa-server-install utility, which does generate a
        CRS at
        /root/ipa.csr. However, the ipa-server-install command in fact
        ask for Distinguished Name (DN) or the organization info(like
        state, etc.), which are required in the CSR. Without a valid CSR
        file, I
        can't request for new Verisign certs. Did I miss something?

        Originally I once tried to change the default certificate for
        Web Admin console) ONLY to the Verisign one, by adding the
        to the /etc/httpd/alias database with the command:
          # ipa-server-certinstall -w --http_pin=test verisign.pk12
        And updated the nss.conf for httpd, so that the new Nickname is
        used to
        point to the Verisign certs. That worked well for the website.
        the IPA client installation failed after that for the

        ERROR Joining realm failed: libcurl failed to execute the HTTP POST
        transaction, explaining:  Peer's certificate issuer has been
        marked as
        not trusted by the user.

        Even I tried to also update the certificate for the Directory
        service(ipa-server-certinstall -d ... ), the client installation
        failed. I believe the new Verisign cert messed up the
        communication of
        the IPA components. Then I am thinking to install the IPA server
        scratch with the Verisign cert, but then I hit the CSR problem

        Please advise. Thanks!

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to