[Freeipa-users] Sync IPA and AD while using external CA
Rob Crittenden
rcritten at redhat.com
Wed Oct 28 13:50:46 UTC 2015
mitra dehghan wrote:
> hello,
> I want to implement and IPA server and Sync it with my 2012 ms ad. While
> things go well using an internal CA in each server, I came across kind
> of problem when I want integrate solution with my PKI which is already
> serving the AD server.
> I can install IPA with --external-ca switch. but when it comes to Sync.
> agreement it says "TLS error -8179:Peer's Certificate issuer is not
> recognized."
>
> The architecture is:
> - There is a root CA named contoso.com <http://contoso.com>
> - There is a subordinate CA named local.dc
> - The certificates of AD and IPA server are both issued by local.dc
> - IPA's certificate is issued based on the CSR file generated by
> ipa-server-install
> - I have copied both certificates in /etc/openldap/certs directory and
> the rest was same as what i did in the internal CA scenario.
>
> while the FreeIPA docs say both servers must have internal CA's i need
> to integrate solution with available PKI.
> I would be glad hear suggestions if this scenario is applicable and what
> is wrong there.
> thank you
389-ds doesn't use /etc/openldap/certs.
What cert are you passing in when creating the winsync agreement using
ipa-replica-manage?
You may need/want to add these certs to the IPA 389-ds NSS database
prior to setting up the agreement.
rob
More information about the Freeipa-users
mailing list