On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik wrote:
> On 07/31/2016 07:45 AM, Richard Harmonson wrote:
> > I having challenges resuming ipa-server-install --external-ca. I am
> reasonably
> > confident I am not providing the right certificate and/or format from my
> >
William,
On 02.08.2016 at 00:41, William Muriithi wrote:
>
> > > Which external CA would be more open to signing this kind of
certificate?
> >
> > I'm afraid that there is not a single external CA that would sign
request for CA certificate. (...)
>
> Understandable. Did speak with them and
Mateusz
> >
> > Which external CA would be more open to signing this kind of
certificate?
>
> I'm afraid that there is not a single external CA that would sign request
for CA certificate. They need to make sure that certificate would not be
used for fraudulent purposes (for e.g. Man-in-the-Middle
William,
On 29.07.2016 at 22:27, William Muriithi wrote:
> Is anyone here been successful in getting external CA to sign this
kind of certificate? I have just tried to convince DigiCert for 2 days
that there is no harm issuing this kind of certificate as long us it's
restricted to one
Hi there,
Is there anyone out there with a good system for storing users,
groups, hosts, etc.. in some sort of version controlled repo w/ flat
files that could plug into "two-man" workflows for user-account
creation and privilege/group membership changes, etc.
There's some github projects out
Adam Lewis wrote:
Yup. I'm currently still sitting back in time. But any time I try to
resubmit either the ipaCert or the subsystemCert it errors out.
getcert list shows :
ca-error: Server at
"https://ipa.local.domain:9443/ca/agent/ca/profileProcess; replied: 1:
Authentication Error
And the
Yup. I'm currently still sitting back in time. But any time I try to
resubmit either the ipaCert or the subsystemCert it errors out.
getcert list shows :
ca-error: Server at "
https://ipa.local.domain:9443/ca/agent/ca/profileProcess; replied: 1:
Authentication Error
And the debug log shows:
Adam Lewis wrote:
Yup, It's just the text string. I don't know how much this matters but
when I ran the start-tracking for the ipaCert it didn't generate a new
certificate. I'm still working off of serial number 7, which is what
it's been since we installed IPA. Is there some way/reason for me
Yup, It's just the text string. I don't know how much this matters but when
I ran the start-tracking for the ipaCert it didn't generate a new
certificate. I'm still working off of serial number 7, which is what it's
been since we installed IPA. Is there some way/reason for me to generate a
whole
Adam Lewis wrote:
If you mean the usercertificate value from the ldapsearch command, then
yes. That value matches the value from the certutil output.
The usercertificate in LDAP had the BEGIN/END stripped, right?
I'll cc a couple of the dogtag developers to see what they think.
rob
Thanks
Hi Rob,
Just a quick summary on my certificate renew experience.
I started with a worst case scenario assumption - original CSR and key
is no longer available.
1. export old certificate in pkcs12 format
pk12util -d /etc/httpd/alias -n 'certificate alias' -o /tmp/ipa.p12 -k
On 07/31/2016 07:45 AM, Richard Harmonson wrote:
> I having challenges resuming ipa-server-install --external-ca. I am
> reasonably
> confident I am not providing the right certificate and/or format from my
> off-line root CA using 389 and Dogtag.
>
> Does anyone have instructions on how to
If you mean the usercertificate value from the ldapsearch command, then
yes. That value matches the value from the certutil output.
Thanks
On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden wrote:
> Adam Lewis wrote:
>
>> A quick update. We did some digging on the segfault
Adam Lewis wrote:
A quick update. We did some digging on the segfault problem and I think
it was due to having to update the trusts on the CA cert. So we updated
the certmonger package and certmonger now starts again.
However we're kind of back to square one where we are still getting the
A quick update. We did some digging on the segfault problem and I think it
was due to having to update the trusts on the CA cert. So we updated the
certmonger package and certmonger now starts again.
However we're kind of back to square one where we are still getting the
AUTH_FAIL messages in the
Hi,
I am experiencing slow logins and sudo authentication for servers joined to my
FreeIPA domain. I have been following the other recent thread on slow logins
and believe my issue is different.
I have replication setup with 2 FreeIPA servers at each of 3 sites. The
replication is working
sipazzo wrote:
I set time back on master ca and was able to renew its certs except for
one that has yet to expire but should have renewed. I tried to resubmit
it but it still does not renew and status says NEED_CSR_GEN_TOKEN. We do
have a go daddy cert we use as well but it is valid still. Is it
Rob,
Thanks for pointing me in the right direction. However after following the
instructions in the above mentioned doc I noticed a few things that are odd
and have a new problem. The first odd thing I noticed is that when I run
service pki-cad status it shows that my PKI Subsystem Type is "CA
On 29/07/16 15:35, Andreas Ladanyi wrote:
Hi,
is it simply possible to move from ca to a ca-less environment in ipa ?
Because its ok for me to only use certificates in web and ldap
components. I use freeipa 4.2 , fedora 23.
regards,
Andreas
Hello Andreas!
There is no tool that would do
On 1.8.2016 09:08, Jakub Hrozek wrote:
> On Sat, Jul 30, 2016 at 02:02:56PM +0530, Rakesh Rajasekharan wrote:
>> Thanks Jakub for the detailed analysis... with those inputs , I was able to
>> nail down the issue.
>>
>> I had migrated this host from openldap to freeipa.. However, nslcd daemon
>>
On Sat, Jul 30, 2016 at 02:02:56PM +0530, Rakesh Rajasekharan wrote:
> Thanks Jakub for the detailed analysis... with those inputs , I was able to
> nail down the issue.
>
> I had migrated this host from openldap to freeipa.. However, nslcd daemon
> was still running and the sylog pointed me to
21 matches
Mail list logo