[Freeipa-users] CA-less install - problem with CA certificates - PLEASE HELP!
Peter Pakos
peter at pakos.uk
Wed Jul 20 22:44:29 UTC 2016
I've now set up a test box using exactly the same install command, SSL
certificate etc...
The /etc/ipa/ca.crt contains only 3 certificates but they are not CA
certificates that were included in the PKCS12 file:
[root at dupa temp]# for i in {1..3}; do echo cert${i}; openssl x509 -in
cert${i} -noout -text | grep -i 'issuer:\|subject:'; done
cert1
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
cert2
Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network,
CN=AddTrust External CA Root
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
cert3
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
Subject: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2
So out of the box, the certificate "USERTrust RSA Certification
Authority" is listed there twice.
[root at dupa temp]# certutil -L -d /etc/pki/nssdb/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
AddTrust External CA Root - AddTrust AB ,,
USERTrust RSA Certification Authority - AddTrust AB ,,
Gandi Standard SSL CA 2 - The USERTRUST Network C,,
[root at dupa temp]# certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
GandiWildcardIPA u,u,u
AddTrust External CA Root - AddTrust AB ,,
USERTrust RSA Certification Authority - AddTrust AB ,,
Gandi Standard SSL CA 2 - The USERTRUST Network C,,
[root at dupa temp]# certutil -L -d /etc/dirsrv/slapd-IPA-WANDISCO-COM/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
GandiWildcardIPA u,u,u
AddTrust External CA Root - AddTrust AB ,,
USERTrust RSA Certification Authority - AddTrust AB ,,
Gandi Standard SSL CA 2 - The USERTRUST Network C,,
Please note, in the databases the certificate "USERTrust RSA
Certification Authority - AddTrust AB" is only listed once.
How do I fix our production installation?
--
Kind regards,
Peter Pakos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160720/9d238d89/attachment.htm>
More information about the Freeipa-users
mailing list