[Freeipa-devel] [freeipa] #3668: CA-less install fails when intermediate CA is used
John Dennis
jdennis at redhat.com
Fri Jun 7 13:17:57 UTC 2013
On 06/07/2013 08:57 AM, Jan Cholasta wrote:
> Yes, this is correct. The DS certificate must be directly signed by the
> CA trusted by IPA (specified by --root-ca-cert in ipa-server-install),
> there may be no intermediate CAs, because ldapsearch and friends and
> python-ldap don't like them.
That doesn't sound right. Do we understand why a chain length > 1 is
failing?
John
More information about the Freeipa-devel
mailing list