On 12/13/2017 04:39 PM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo,
On 12/12/17 3:59 PM, Harald Dunkel via FreeIPA-users wrote:
My concern is, it looks much more restricted than the old root CA
cerificate:
# certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
auditSigningCert cert-pki-ca u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE
CT,C,C
CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE C,,
Shouldn't it be "CT,C,C" as well?
:
:
Hi,
the flags here will be the same as the ones used with the command
ipa-cacert-manage install -t <flags>. If I recall correctly, in most
cases you need only C,, but if your deployment requires more flags (for
instance the external CA is used to sign Smart Card certificates), you
can tune this by providing the required flags in ipa-cacert-manage install.
ipa-cert-update said
# ipa-certupdate
trying https://ipa1.example.de/ipa/json
[try 1]: Forwarding 'schema' to json server
'https://ipa1.example.de/ipa/json'
trying https://ipa1.example.de/ipa/json
[try 1]: Forwarding 'ca_is_enabled' to json server
'https://ipa1.example.de/ipa/json'
[try 1]: Forwarding 'ca_find/1' to json server
'https://ipa1.example.de/ipa/json'
Systemwide CA database updated.
Systemwide CA database updated.
The ipa-certupdate command was successful
dmesg shows that there was a core dump:
[108604.869633] ns-slapd[23051]: segfault at 10 ip 00007fb60841dc30 sp
00007fb60af56c88 error 4 in libpthread-2.17.so[7fb608414000+17000]
Problem: The certificate in /etc/ipa/ca.crt and /usr/share/ipa/html/\
ca.crt is still old. The files have been touched, but not replaced
by the new certificate.
AFAICT this is not as documented. Would you suggest to file a bug
report?
The files should contain multiple certificates (IPA CA and the external
CA certificates). If it is not the case, please check first if there
were AVC issues (if running in SElinux enforcing mode), and feel free to
file a bug.
Flo
Regards
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org