Joshua Ruybal wrote:

I'm trying to add 3rd party certs for the webgui and ldap as documented

I'm able to add the CA cert.

Then add the chained cert and key via ipa-server-certinstall tool.
However when I try to restart httpd, it fails and I get the following
error in the logs.

[Wed Oct 12 12:45:47.760525 2016] [suexec:notice] [pid 2598] AH01232:
suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Oct 12 12:45:47.760648 2016] [ssl:warn] [pid 2598] AH01916: Init:
( <>) You
configured HTTP(80) on the standard HTTPS(443) port!
[Wed Oct 12 12:45:47.760683 2016] [:warn] [pid 2598]
NSSSessionCacheTimeout is deprecated. Ignoring.
[Wed Oct 12 12:45:47.940329 2016] [:error] [pid 2598] SSL Library Error:
-8102 Certificate key usage inadequate for attempted operation.
[Wed Oct 12 12:45:47.940367 2016] [:error] [pid 2598] Unable to verify
certificate 'Signing-Cert'. Add "NSSEnforceValidCerts off" to nss.conf
so the server can start until the problem can be resolved.

I've looked into the key, but everything seems to work as expected.

Has anyone seen this before?

CentOS 7.2

You set NSSNickname to Signing-Cert? What is the nickname of the cert you imported?

# certutil -L -d /etc/httpd/alias


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to