[Freeipa-users] exporting ldap certificate

Peter Brown rendhalver at gmail.com
Mon Apr 29 04:59:14 UTC 2013 

I finally got this to work.

I managed to get an error message that told me it couldn't check the
revocation of the certificates against a crl.
I tried to find out how to tell java where to find that crl but I these
discovered these options instead to tell java to not check a crl.
-Dcom.sun.net.ssl.checkRevocation=false
-Dcom.sun.security.enableCRLDP=false


On 26 April 2013 18:30, Petr Viktorin <pviktori at redhat.com> wrote:

> Hello,
>
>
> On 04/26/2013 07:22 AM, Peter Brown wrote:
>
>> Hi everyone.
>>
>> I am attempting to get Google Apps to sync with FreeIPA and I am having
>> problems getting the sync utility to talk to freeipa.
>> It complains about the ssl cert.
>> I have it setup so it only accepts ssl or tls encrypted connections and
>> I don't want to turn that off.
>> I have imported the ca cert using the jre's keytool but it still refuses
>> to connect.
>> I am getting the impression I need to import the ssl cert for the ldap
>> server into it as well.
>>
>
> The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other
> certs. Make sure you import it with the right trust level (SSL certificate
> signing). Unfortunately I don't know about jre's keytool so I can't be more
> specific.


>
>  I have no idea which certificate that is and I have no idea how to
>> export it.
>>
>
> Do not do this. You should only explicitly trust the CA cert.
> For example, if you trust the certs explicitly you'd have to re-import
> them one by one when they are renewed.
>
>
>  Can someone please tell me how to do this?
>>
>
> If you really want to:
> There are two certs, one for httpd (Web UI, XMLRPC & JSON APIs), and one
> for the LDAP server.
> To export the httpd server certificate (to PEM):
> $ certutil -L -d /etc/httpd/alias -n Server-Cert -a
> To export the directory server certificate (to PEM):
> $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE_**NAME/ -n Server-Cert -a
> But again, you don't need this for what you're trying to do.
>
> --
> Petrł
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130429/1ec0d57b/attachment.htm>

More information about the Freeipa-users mailing list