[Freeipa-users] exporting ldap certificate

Mon May 6 07:07:48 UTC 2013

I am glad you made it working. Just for the record, CRL and OCSP revocation
URIs in FreeIPA v3.1 were flawed, there are relevant fixes in FreeIPA 3.2 that
will make it working again.

More information can be found out in FreeIPA.org wiki:
http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs

Relevant upstream ticket:
https://fedorahosted.org/freeipa/ticket/3552

Martin

On 04/29/2013 06:59 AM, Peter Brown wrote:
> I finally got this to work.
> 
> I managed to get an error message that told me it couldn't check the revocation
> of the certificates against a crl.
> I tried to find out how to tell java where to find that crl but I these
> discovered these options instead to tell java to not check a crl.
> -Dcom.sun.net.ssl.checkRevocation=false
> -Dcom.sun.security.enableCRLDP=false
> 
> 
> On 26 April 2013 18:30, Petr Viktorin <pviktori at redhat.com
> <mailto:pviktori at redhat.com>> wrote:
> 
>     Hello,
> 
> 
>     On 04/26/2013 07:22 AM, Peter Brown wrote:
> 
>         Hi everyone.
> 
>         I am attempting to get Google Apps to sync with FreeIPA and I am having
>         problems getting the sync utility to talk to freeipa.
>         It complains about the ssl cert.
>         I have it setup so it only accepts ssl or tls encrypted connections and
>         I don't want to turn that off.
>         I have imported the ca cert using the jre's keytool but it still refuses
>         to connect.
>         I am getting the impression I need to import the ssl cert for the ldap
>         server into it as well.
> 
> 
>     The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other
>     certs. Make sure you import it with the right trust level (SSL certificate
>     signing). Unfortunately I don't know about jre's keytool so I can't be more
>     specific.
> 
> 
> 
>         I have no idea which certificate that is and I have no idea how to
>         export it.
> 
> 
>     Do not do this. You should only explicitly trust the CA cert.
>     For example, if you trust the certs explicitly you'd have to re-import them
>     one by one when they are renewed.
> 
> 
>         Can someone please tell me how to do this?
> 
> 
>     If you really want to:
>     There are two certs, one for httpd (Web UI, XMLRPC & JSON APIs), and one
>     for the LDAP server.
>     To export the httpd server certificate (to PEM):
>     $ certutil -L -d /etc/httpd/alias -n Server-Cert -a
>     To export the directory server certificate (to PEM):
>     $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE___NAME/ -n Server-Cert -a
>     But again, you don't need this for what you're trying to do.
> 
>     -- 
>     Petrł
> 
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 