Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

On Mon, Aug 1, 2016 at 10:15 AM, Petr Vobornik wrote: > On 07/31/2016 07:45 AM, Richard Harmonson wrote: > > I having challenges resuming ipa-server-install --external-ca. I am > reasonably > > confident I am not providing the right certificate and/or format from my > >

Re: [Freeipa-users] PKI signing certificate question

William, On 02.08.2016 at 00:41, William Muriithi wrote: > > > > Which external CA would be more open to signing this kind of certificate? > > > > I'm afraid that there is not a single external CA that would sign request for CA certificate. (...) > > Understandable. Did speak with them and

Re: [Freeipa-users] PKI signing certificate question

Mateusz > > > > Which external CA would be more open to signing this kind of certificate? > > I'm afraid that there is not a single external CA that would sign request for CA certificate. They need to make sure that certificate would not be used for fraudulent purposes (for e.g. Man-in-the-Middle

Re: [Freeipa-users] PKI signing certificate question

William, On 29.07.2016 at 22:27, William Muriithi wrote: > Is anyone here been successful in getting external CA to sign this kind of certificate? I have just tried to convince DigiCert for 2 days that there is no harm issuing this kind of certificate as long us it's restricted to one

[Freeipa-users] Declarative configuration options?

Hi there, Is there anyone out there with a good system for storing users, groups, hosts, etc.. in some sort of version controlled repo w/ flat files that could plug into "two-man" workflows for user-account creation and privilege/group membership changes, etc. There's some github projects out

Re: [Freeipa-users] Certificate Issues

Adam Lewis wrote: Yup. I'm currently still sitting back in time. But any time I try to resubmit either the ipaCert or the subsystemCert it errors out. getcert list shows : ca-error: Server at "https://ipa.local.domain:9443/ca/agent/ca/profileProcess; replied: 1: Authentication Error And the

Re: [Freeipa-users] Certificate Issues

Yup. I'm currently still sitting back in time. But any time I try to resubmit either the ipaCert or the subsystemCert it errors out. getcert list shows : ca-error: Server at " https://ipa.local.domain:9443/ca/agent/ca/profileProcess; replied: 1: Authentication Error And the debug log shows:

Re: [Freeipa-users] Certificate Issues

Adam Lewis wrote: Yup, It's just the text string. I don't know how much this matters but when I ran the start-tracking for the ipaCert it didn't generate a new certificate. I'm still working off of serial number 7, which is what it's been since we installed IPA. Is there some way/reason for me

Re: [Freeipa-users] Certificate Issues

Yup, It's just the text string. I don't know how much this matters but when I ran the start-tracking for the ipaCert it didn't generate a new certificate. I'm still working off of serial number 7, which is what it's been since we installed IPA. Is there some way/reason for me to generate a whole

Re: [Freeipa-users] Certificate Issues

Adam Lewis wrote: If you mean the usercertificate value from the ldapsearch command, then yes. That value matches the value from the certutil output. The usercertificate in LDAP had the BEGIN/END stripped, right? I'll cc a couple of the dogtag developers to see what they think. rob Thanks

Re: [Freeipa-users] updating certificates

Hi Rob, Just a quick summary on my certificate renew experience. I started with a worst case scenario assumption - original CSR and key is no longer available. 1. export old certificate in pkcs12 format pk12util -d /etc/httpd/alias -n 'certificate alias' -o /tmp/ipa.p12 -k

Re: [Freeipa-users] ipa-server-install --external-cert-file and exporting dogtag certificates

On 07/31/2016 07:45 AM, Richard Harmonson wrote: > I having challenges resuming ipa-server-install --external-ca. I am > reasonably > confident I am not providing the right certificate and/or format from my > off-line root CA using 389 and Dogtag. > > Does anyone have instructions on how to

Re: [Freeipa-users] Certificate Issues

If you mean the usercertificate value from the ldapsearch command, then yes. That value matches the value from the certutil output. Thanks On Mon, Aug 1, 2016 at 11:18 AM, Rob Crittenden wrote: > Adam Lewis wrote: > >> A quick update. We did some digging on the segfault

Re: [Freeipa-users] Certificate Issues

Adam Lewis wrote: A quick update. We did some digging on the segfault problem and I think it was due to having to update the trusts on the CA cert. So we updated the certmonger package and certmonger now starts again. However we're kind of back to square one where we are still getting the

Re: [Freeipa-users] Certificate Issues

A quick update. We did some digging on the segfault problem and I think it was due to having to update the trusts on the CA cert. So we updated the certmonger package and certmonger now starts again. However we're kind of back to square one where we are still getting the AUTH_FAIL messages in the

[Freeipa-users] Slow logins with multi site replication

Hi, I am experiencing slow logins and sudo authentication for servers joined to my FreeIPA domain. I have been following the other recent thread on slow logins and believe my issue is different. I have replication setup with 2 FreeIPA servers at each of 3 sites. The replication is working

Re: [Freeipa-users] certificates expired - won't renew

sipazzo wrote: I set time back on master ca and was able to renew its certs except for one that has yet to expire but should have renewed. I tried to resubmit it but it still does not renew and status says NEED_CSR_GEN_TOKEN. We do have a go daddy cert we use as well but it is valid still. Is it

Re: [Freeipa-users] Certificate Issues

Rob, Thanks for pointing me in the right direction. However after following the instructions in the above mentioned doc I noticed a few things that are odd and have a new problem. The first odd thing I noticed is that when I run service pki-cad status it shows that my PKI Subsystem Type is "CA

Re: [Freeipa-users] Moving from ca to ca-less without pki

On 29/07/16 15:35, Andreas Ladanyi wrote: Hi, is it simply possible to move from ca to a ca-less environment in ipa ? Because its ok for me to only use certificates in web and ldap components. I use freeipa 4.2 , fedora 23. regards, Andreas Hello Andreas! There is no tool that would do

Re: [Freeipa-users] slow login with freeipa 4.2.0

On 1.8.2016 09:08, Jakub Hrozek wrote: > On Sat, Jul 30, 2016 at 02:02:56PM +0530, Rakesh Rajasekharan wrote: >> Thanks Jakub for the detailed analysis... with those inputs , I was able to >> nail down the issue. >> >> I had migrated this host from openldap to freeipa.. However, nslcd daemon >>

Re: [Freeipa-users] slow login with freeipa 4.2.0

On Sat, Jul 30, 2016 at 02:02:56PM +0530, Rakesh Rajasekharan wrote: > Thanks Jakub for the detailed analysis... with those inputs , I was able to > nail down the issue. > > I had migrated this host from openldap to freeipa.. However, nslcd daemon > was still running and the sylog pointed me to