[Freeipa-users] Public CA signed Certificate import failure

[James Roman]

First off, thanks Rob for the direction on creating a certificate. After 
reading up on Mozilla's NSS, I think I've got a pretty fair grounding.

So I successfully generated a CSR and had it signed. I imported my 
certificate and CA chain into the NSS database and exported it to a 
PKCS12 cert. I am primarily concerned with using the public cert on the 
HTTP interface. However, when I go to import it using 
ipa-server-certificate, it chokes on the names in the CA certificate 
chain. (One of the certs uses full website address for the name.) I can 
manually import each of the certificates in the CA chain using certutil 
on the /etc/httpd/alias directory.

Will this work?
Are there any other configuration changes that I need to make the http 
interface function properly (like changes in the nss.conf)?
What about manually modifying the directory server 
(/etc/dirsrv/slapd-KRBDOMAIN)?