Kristian Petersen wrote: > Rob, > > After investigating the certs as you had suggested, I do have the whole > chain. The server cert has as its issuer: > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance Server CA > > And the DigiCert.crt file has as its issuer and subject: > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance Server CA > Subject: C = US, O = DigiCert Inc, OU = www.digicert.com > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance Server CA > > Am I missing something here?
So you have the whole chain in one file? Try adding them individually, starting at the root. rob > > On Fri, Oct 11, 2019 at 12:50 PM Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > Kristian Petersen wrote: > > New but related question: Iff I just want to add new LDAP and HTTPS > > certs (not replacing the current ones) I know that can be done. I > read > > an article from Florence Blanc-Renaud that mentions it, but I ran into > > some errors and I'm trying to troubleshoot them. When I ran > > ipa-server-certinstall and gave it the key I generated and the crt > file > > I got from Digicert it said the entire chain was not present. So > then I > > tried including the DigiCertCA.crt file as well, however, I got > the same > > result. > > > > I next tried adding the DigiCert certificate to IPA > > usingipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install > > DigiCertCA.crt > > This also failed giving an error that the cert was invalid because the > > Peer's Certificate issuer was not recognized. Any thoughts about > what I > > might have missed? > > You don't have the full chain. It can be tricky to find the whole list > even on CA's that make it relatively easy. > > What you want to do is use a tool like openssl x509 to display the > subject and issuer: > > openssl x509 -text -noout -in /path/to/cert > > I'd start with the server cert you've been issued. Find a matching CA > cert where the subject of the CA cert matches the issuer on the > server cert. > > Then find another CA cert whose subject matches the issuer of the bottom > of the chain, and work upwards until you find a CA cert where the issuer > and subject match. Then you've found the root. That plus the other > matching CA certs is your chain. > > I'll also note about the "add but not replace" the LDAP and Web certs. > There can only be one active. You can certainly use different physical > files and nicknames to store the new certs but only one set is active at > a time. > > rob > > > > > > > On Fri, Oct 11, 2019 at 11:20 AM Rob Crittenden > <rcrit...@redhat.com <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote: > > > > Kristian Petersen via FreeIPA-users wrote: > > > That outlines the options, but not why I should or shouldn't use > > any of > > > them. That is more of what I am looking for. > > > > It's less benefit analysis and more forced by internal > requirements. > > > > Often an organization already has a CA and wants any > additional CA's to > > be subordinates. > > > > The downsides of an external CA is some additional complexity. > > > > Installation can be more difficult (users often have issues > getting > > their external CA to properly sign the IPA CSR), dealing with > a longer > > certificate chain and being bound by the expiration date of the > > external CA. > > > > rob > > > > > > > > On Fri, Oct 11, 2019 at 9:47 AM François Cami > <fc...@redhat.com <mailto:fc...@redhat.com> > > <mailto:fc...@redhat.com <mailto:fc...@redhat.com>> > > > <mailto:fc...@redhat.com <mailto:fc...@redhat.com> > <mailto:fc...@redhat.com <mailto:fc...@redhat.com>>>> wrote: > > > > > > Hi, > > > > > > On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen via > > FreeIPA-users > > > <freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>>>> wrote: > > > > > > > > Hey y'all, > > > > > > > > What are the pros and cons of using and external or > internal CA > > > for FreeIPA/IdM? I am trying to decide which to do but > having > > > trouble finding a lot of info about why I would want to > do one or > > > the other. > > > > > > The choices are documented there: > > > > > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server > > > > > > François > > > > > > > Thanks in advance! > > > > > > > > -- > > > > Kristian Petersen > > > > System Administrator > > > > BYU Dept. of Chemistry and Biochemistry > > > > _______________________________________________ > > > > FreeIPA-users mailing list -- > > freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>>> > > > > To unsubscribe send an email to > > > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > <mailto:freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org>> > > > <mailto:freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > <mailto:freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org>>> > > > > Fedora Code of Conduct: > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > > > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > > > > > > > -- > > > Kristian Petersen > > > System Administrator > > > BYU Dept. of Chemistry and Biochemistry > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > <mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org>> > > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > <mailto:freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org>> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > > > > > > -- > > Kristian Petersen > > System Administrator > > BYU Dept. of Chemistry and Biochemistry > > > > -- > Kristian Petersen > System Administrator > BYU Dept. of Chemistry and Biochemistry _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
