Re: [Freeipa-users] Cannot install 3rd party certificate

Tue, 21 Feb 2017 00:10:13 -0800 

On 02/20/2017 04:09 PM, Matt . wrote:

Hi Rob,

Yes it does, I understood that there was some reason the duplicate
might exist, but I wonder more why does the RootCA show up when I
removed it and comes back after adding the two intermediates ?


Hi Matt,
when ipa-cacert-manage install is run, it adds an LDAP entry for the new CA certificate below cn=certificates,cn=ipa,cn=etc,$BASEDN. When ipa-certupdate is run, it adds all the certificates found in cn=certificates,cn=ipa,cn=etc,$BASEDN to /etc/httpd/alias. So even if you remove one certificate from /etc/httpd/alias, the next ipa-certupdate command will re-add this CA cert if it is still present in LDAP. 

Hope this clarifies,
Flo.



Thanks

Matt


2017-02-20 15:20 GMT+01:00 Rob Crittenden <[email protected]>:

Matt . wrote:

Hi,

The install seems to be OK this way, but I'm still confused about the
duplicated and the RootCA.


What does this show?

#3 certutil -L -d /etc/httpd/alias -n COMODORSAAddTrustCA

I'm guessing it will show two certs with different serial numbers, which
means this is a-ok.

rob



2017-02-18 14:47 GMT+01:00 Matt . <[email protected]>:

Hi Florance,


I'm actually stil investigating this as the following occurs.

I have removed all unneeded certs and installed the 2 intermediates
for Comodo and did an ipa-certupdate which results in this:

#certutil -L -d /etc/httpd/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB C,,
AddTrustExternalCARoot                                       C,,
ipaCert                                                      u,u,u
COMODORSAAddTrustCA                                          C,,
COMODORSAAddTrustCA                                          C,,
IPA.MYDOMAIN.TLD IPA CA                         CT,C,C


I'm curious why the COMODORSAAddTrustCA is there twice, if I remove
both and start over they are duplicated again. Also the
AddTrustExternalCARoot comes back again even when this was not
installed anymore as it's not needed.

I'm able to install my cert after the update:


#certutil -L -d /etc/httpd/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB C,,
AddTrustExternalCARoot                                       C,,
ipaCert                                                      u,u,u
COMODORSAAddTrustCA                                          C,,
COMODORSAAddTrustCA                                          C,,
IPA.MYDOMAIN.TLD IPA CA                         CT,C,C
CN=*.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated u,u,u



Now this works great for the WebGui which uses the right Certificate
for the ssl connection but ldaps on port 636 seems to use:

CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB


Do you have any clue about this ?

I'm also curious about what IPA syncs between all hosts, it seems to
be only the Intermediate certs and not the install domains
certificate, this needs to be installed manually after a local
#ipa-certupdate on each node ?

I hope you can clearify this out.


Thanks,

Matt


2017-02-17 0:15 GMT+01:00 Matt . <[email protected]>:

Hi Flo,

Sure I can, I will look through the steps closely tomorrow and will
create some lineup here.

Cheers,

Matt

2017-02-16 23:55 GMT+01:00 Florence Blanc-Renaud <[email protected]>:

On 02/16/2017 09:55 PM, Matt . wrote:


Hi Flo! (if I may call you like that, saves some characters in typing
but with this extra line it doesn't anymore :))

This works perfectly, thank you very much.


Hi Matt,

glad I could help. What did you do differently that could explain the
failure, though? Maybe the cert installation needs some hardening.

Flo.


No questions further actually :)

Cheers,

Matt

2017-02-16 11:17 GMT+01:00 Florence Blanc-Renaud <[email protected]>:






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to