They are indeed all self signed: #openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout issuer= /O=DOMAIN.COM/CN=server1.dom.ain subject= /O=DOMAIN.COM/CN=server1.dom.ain
#openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout issuer= /O=DOMAIN.COM/CN=server2.dom.ain subject= /O=DOMAIN.COM/CN=server2.dom.ain and so on.. So if I understand correctly, these all should have been signed by the IPA CA? And re: OCSP - I'll go ahead and check how I can either change the location, or setup a CNAME to point the existing address in the cert to a working ocsp responder. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
