[Freeipa-users] Using 3rd party certificates for HTTP/LDAP
Peter Pakos
peter at pakos.pl
Fri Jan 15 16:34:38 UTC 2016
On 15/01/2016 15:55, Rob Crittenden wrote:
>> I've re-run ipa-certupdate in verbose mode and I could see that it
>> removes all certificates in different databases (/etc/httpd/alias,
>> /etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-adds them (apart
>> from /etc/pki/pki-tomcat/alias).
>
> Yup, looks like this part is missing. Perhaps the assumption was that
> the CA would be authoritative in this regard.
Is this a bug? Should this be logged somewhere so it can be looked into?
> Updating the CA certs you'd want to add them to LDAP, replacing the
> older ones, and then ipa-certupdate will do the rest. You'd need to run
> this on all clients and servers.
This sounds like a lot of manual work will be involved when it comes to
renewal.
And without clear and up-to-date information and possibly step-by-step
instructions the effort needed to get this sorted is doubled.
Please note that it took us many hours to get a 3rd party SSL
certificate installed (you would think a very simple task). And the
truth is that without this mailing list and #freeipa channel we would
still be stuck trying to get to the bottom of this.
--
Kind regards,
Peter Pakos
More information about the Freeipa-users
mailing list