[Freeipa-users] Re: CA Subsystem certificate

Travis West via FreeIPA-users Fri, 05 Apr 2024 05:43:33 -0700

This morning I thought I had found what I was missing, import the new RA cert 
to ~/.dogtag/nssdb, which I've done and now all the places I know about the RA 
cert matches.


# certutil -L -d /root/.dogtag/nssdb

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Certificate Authority - IPA.****.NET                       CT,C,C
IPA RA - IPA.****.NET                                      u,u,u

# certutil -L -d /root/.dogtag/nssdb -n "IPA RA - IPA.****.NET" -a
-----BEGIN CERTIFICATE-----
MIID6jCC...ssifAg==
-----END CERTIFICATE-----

# certutil -L -d /root/.dogtag/nssdb -n "IPA RA - IPA.****.NET" | grep Serial
        Serial Number: 7 (0x7)

# ldapsearch -D "cn=directory manager" -W -b uid=ipara,ou=people,o=ipaca
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=ipara,ou=people,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ipara, people, ipaca
dn: uid=ipara,ou=people,o=ipaca
description: 2;7;CN=Certificate Authority,O=IPA.****.NET;CN=IPA 
RA,O=IPA.****.NET
userCertificate:: MIID6jCC...ssifAg==
uid: ipara
sn: ipara
usertype: agentType
userstate: 1
objectClass: cmsuser
objectClass: top
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: person
cn: ipara

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

# cat /var/lib/ipa/ra-agent.pem
-----BEGIN CERTIFICATE-----
MIID6jCC...ssifAg==
-----END CERTIFICATE-----

but the openssl verify command with the -show_chain flag still seems to fail

]# openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt 
/var/lib/ipa/ra-agent.pem
usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] 
[-purpose purpose] [-crl_check] [-no_alt_chains] [-attime timestamp] [-engine 
e] cert1 cert2 ...
recognized usages:
        sslclient       SSL client
        sslserver       SSL server
        nssslserver     Netscape SSL server
        smimesign       S/MIME signing
        smimeencrypt    S/MIME encryption
        crlsign         CRL signing
        any             Any Purpose
        ocsphelper      OCSP helper
        timestampsign   Time Stamp signing
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: CA Subsystem certificate

Reply via email to