The problem is the encoding of the certificate subject, some CA use UTF-8 (like EJBCA), contrariwise NSS create certificates with subject in ASCII.
The error occurs during the installation on the step "issuing RA agent certificate", when sslget try to use the TLS certificate "ipa-ca-agent" and fail with error code "-12195". This error (SSL_ERROR_UNKNOWN_CA_ALERT) means that "ipa-ca-agent" is signed by a missing CA. If you open the NSS database used by sslget you can see the correct CA chain, but you can't follow this chain from "ipa-ca-agent", this is the cause of the error explained above. NSS for follow the chain make a bit-to-bit compare to the derSubject and derIssuer fields, but can't match because one is in UTF-8 and other is in ASCII. For fix, you must use the old mode (PrintableString) for sign the FreeIPA sub-ca certificate, in EJBCA just make a new root CA with the option "PrintableString encoding in DN" enabled. Thanks for the help. Andrea Bontempi _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
