Thanks for your response:
> Yes but which cert did you provider, the root CA contoso.com or thesubordinate CA local.dc?
Actually I was using active directory's certificate with --cacert switch in ipa-replica-manage
Thanks to info you gave me about NSS I changed the approach.
first: using certutil, I manually added root CA (contoso.com) and subordinate(local.dc) certificates in /etc/dirsrv/slapd-REALM database # certutil -A -d /etc/dirsrv/slapd-YOUR-REALM -n "contoso.com CA" -t CT,, -a -i /path/to/contoso.pem# certutil -A -d /etc/dirsrv/slapd-YOUR-REALM -n "local.dc CA" -t CT,, -a -i /path/to/localdc.pem
then, following same approach, I added Active directory's certificate to the same db.
# certutil -A -d /etc/dirsrv/slapd-YOUR-REALM -n "active directory CA" -t ,, -a -i /path/to/ad.cer
Note: since the original certificates were in .cer format and its same as .pem I just renamed certificates to .pem
Now my db has 5 certificates in:
b) Subordinate CA (local.dc): issued to local.dc by contoso.com
c) Active directory CA (ad): issued to active directory by local.dc
d)IPA certificate:issued to IPA server by local.dc
e)localhost certificate: issued to localhost by IPA server 's internal CA.
finally I ran ipa-replica-manage:
- using contoso.com CA in --cacert it says TLS error -8179: Peer's Certificate issuer is not recognized
-using local.dc CA in --cacert it says TLS error -8157: Certificate extension not found.
-using Active Directory CA in --cacert it says TLS error -8179: Peer's Certificate issuer is not recognized
I would be glad if you help me more with this issue!