The solution was to add to root certificate to tomcat:
/var/lib/pki/pki-tomcat/alias/
Now everything seems to work.
Regards
Bjarne
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Bjarne Blichfeldt
Sent: 23. juni 2016 13:40
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Using 3rd party certificates for HTTP/LDAP (again)
Following this thread from January:
https://www.redhat.com/archives/freeipa-users/2016-January/msg00223.html
I am trying to accomplish the same, but seems to be stuck.
My environment is:
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)
# ipa ping
---
IPA server version 4.2.0. API version 2.156
---
# rpm -qa | grep ipa-server
ipa-server-4.2.0-15.el7_2.15.x86_64
As the OP I have both a RootCA and a subCA. But I can't figure out how to
install them. ipa-cacert-manage does not work, known bug.
I am testing by changing the server certificate for ldaps on an ipa replica and
then run "ldapwhoami" and "ipa-replica-manage -v list" from the master ipa
against the replica, but the replica server certificate is never accepted due
to missing root certificate.
The problem is how to install the root certificates.
I have tried:
Copy the root certificates to /etc/pki/ca-trust/source/anchors and run
update-ca-trust - no go.
Installed the root Ca's in all the nssdb I could think of:
DIR="/etc/httpd/alias /etc/dirsrv/slapd-DNREST-DCBSYS-NET /etc/ipa/nssdb
/etc/pki/nssdb"
for dir in $DIR ; do
certutil -d $dir -A -n ECBsubCA -i subCA-sha256.pem -t CT,T,T
certutil -d $dir -A -n ECBrootCA -i rootCA-sha256.pem -t CT,T,T
done
Also no go.
I am out of ideas now.
--
Regards,
Bjarne
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project