Re: [Freeipa-users] bad certificate used to sign freeipa
On Fri, Mar 10, 2017 at 01:16:42PM +0100, Harald Dunkel wrote: > Hi folks, > > I stumbled over this problem: > > http://openbsd-archive.7691.n7.nabble.com/Certificate-Error-quot-format-error-in-certificate-s-notAfter-field-quot-td304262.html > > The details don't really matter. The important point is that > the root certificate used to sign freeipa's certificate > appears to be unacceptable on openBSD and maybe others. > > What would you suggest? Is there a guideline to migrate > freeipa to a new certificate authority? > > > Every helpful comment is highly appreciated > Harri > The issue in that thread was resolved. It was caused by invalid encoding of the notAfter field. I think OpenBSD uses LibreSSL in their base system - and I guess it adheres more strictly to RFC 5280 than other implementations. As for migrating to a new CA (or merely installing a newer certificate for the original CA, with correct encoding), you can do it via ipa-cacert-mangage(1). Cheers, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] bad certificate used to sign freeipa
Hi, Which 'FreeIPA certificate' are you referring to? If you installed FreeIPA CA-less, then the root certificate was used to sign LDAP and HTTPd certificates and you can follow this page [1] to use a different CA and replace LDAP and HTTPd certs. If you installed IPA with an integrated CA, then the root certificate was used to sign IPA CA certificate, and the other certificates used by FreeIPA were signed by IPA CA. In this case you would have to replace IPA CA with [2] and then renew LDAP and HTTPd certificates [3]. Flo [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/third-party-certs-http-ldap.html [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cert-renewal.html#manual-cert-renewal-ext [3] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/replace-HTTP-LDAP-cert.html On 03/10/2017 01:16 PM, Harald Dunkel wrote: Hi folks, I stumbled over this problem: http://openbsd-archive.7691.n7.nabble.com/Certificate-Error-quot-format-error-in-certificate-s-notAfter-field-quot-td304262.html The details don't really matter. The important point is that the root certificate used to sign freeipa's certificate appears to be unacceptable on openBSD and maybe others. What would you suggest? Is there a guideline to migrate freeipa to a new certificate authority? Every helpful comment is highly appreciated Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] bad certificate used to sign freeipa
Hi folks, I stumbled over this problem: http://openbsd-archive.7691.n7.nabble.com/Certificate-Error-quot-format-error-in-certificate-s-notAfter-field-quot-td304262.html The details don't really matter. The important point is that the root certificate used to sign freeipa's certificate appears to be unacceptable on openBSD and maybe others. What would you suggest? Is there a guideline to migrate freeipa to a new certificate authority? Every helpful comment is highly appreciated Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project