On Wed, May 29, 2019 at 01:19:19PM -0000, Khurrum Maqb via FreeIPA-users wrote: > They are indeed all self signed: > > #openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout > issuer= /O=DOMAIN.COM/CN=server1.dom.ain > subject= /O=DOMAIN.COM/CN=server1.dom.ain > > #openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout > issuer= /O=DOMAIN.COM/CN=server2.dom.ain > subject= /O=DOMAIN.COM/CN=server2.dom.ain
Florence, do you know from the top of your head the steps to recreate proper KDC certificates signed by the IPA CA? bye, Sumit > > and so on.. > > So if I understand correctly, these all should have been signed by the IPA > CA? > > And re: OCSP - I'll go ahead and check how I can either change the location, > or setup a CNAME to point the existing address in the cert to a working ocsp > responder. > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
