On 09/29/2016 11:43 AM, beeth beeth wrote:
Thanks for the quick response Florence!
My goal is the use a 3rd party certificate(such as Verisign cert) for
Web UI(company security requirement), in fact we are not required to use
3rd party certificate for the LDAP server, but as I mentioned earlier, I
couldn't make the new Verisign cert to work with the Web UI, without
messing up the IPA function(after I updated the nss.conf to use the new
cert in the /etc/httpd/alias db, the ipa_client_install failed). So I
tried to follow the Redhat instruction, to see if I can get the Verisign
cert installed at the most beginning, without using FreeIPA's
own/default certificate), but I got the CSR question.
I did install IPA without a CA, by following the instruction at
but failed to restart HTTPD. When and how can I provide the 3rd-party
certificate? Could you please point me a document about the detail?
you need first to clarify if you want FreeIPA to act as a CA or not. The
setup will depend on this choice.
- option a) FreeIPA with an embedded CA:
you can install FreeIPA with a self-signed CA, then follow the
in order to replace the WebUI certificate. Please note that there were
some bugs in ipa-server-certinstall, preventing httpd from starting
(Ticket #4786 ). The workaround is to manually update nss.conf (as
you did) and manually import the CA certificate into
/etc/pki/pki-tomcat/alias, for instance with
$ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname -t C,,
- option b) Free IPA without CA
the installation instructions are in Installing without a CA . You
will provide the certificate that will be used by both the LDAP server
and the WebUI in the command options.
On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud <f...@redhat.com
The instructions that you followed are used when you want to install
FreeIPA with an embedded Certificate Authority (ie FreeIPA is able
to issue certificates), and FreeIPA CA is signed by a 3rd party CA.
Maybe your goal is just to use a 3rd party certificate for IPA's
LDAP server and Web UI. In this case, you do not need to install
FreeIPA with an embedded CA. You can follow the instructions for
Installing without a CA , where you will need to provide a
Hope this clarifies,
On 09/29/2016 11:03 AM, beeth beeth wrote:
I am trying to set up IPA servers with Verisign certificate, so
Admin Web console can use public signed certificate to meet
security requirement. But when I try to follow Red Hat's
2.3.5. Installing a Server with an External CA as the Root CA,
at the first step it says to generate CSR by adding the
option to the ipa-server-install utility, which does generate a
/root/ipa.csr. However, the ipa-server-install command in fact
ask for Distinguished Name (DN) or the organization info(like
state, etc.), which are required in the CSR. Without a valid CSR
can't request for new Verisign certs. Did I miss something?
Originally I once tried to change the default certificate for
Web Admin console) ONLY to the Verisign one, by adding the
to the /etc/httpd/alias database with the command:
# ipa-server-certinstall -w --http_pin=test verisign.pk12
And updated the nss.conf for httpd, so that the new Nickname is
point to the Verisign certs. That worked well for the website.
the IPA client installation failed after that for the
ERROR Joining realm failed: libcurl failed to execute the HTTP POST
transaction, explaining: Peer's certificate issuer has been
not trusted by the user.
Even I tried to also update the certificate for the Directory
service(ipa-server-certinstall -d ... ), the client installation
failed. I believe the new Verisign cert messed up the
the IPA components. Then I am thinking to install the IPA server
scratch with the Verisign cert, but then I hit the CSR problem
Please advise. Thanks!
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project