[Freeipa-users] Re: 3rd-Party Root CA Stuck with No Trust Attributes

Raymond Spangle via FreeIPA-users Sun, 16 Mar 2025 22:44:41 -0700

I have been able to actually change those values to "C,," on one server, using 
the old certutil command, but as soon as I ipa-certupdate, they are reverted 
back to ",," .  I am still missing something.


Here is what I did that seemed to work, until reverting:

You need the names of the certs from these commands:
certutil -L -d /etc/ipa/nssdb
certutil -L -d /etc/dirsrv/slapd-VSS-VZBI-COM

You need to get the NSS DB passwords from the pwdfile.txt files in those two 
directories:

cat /etc/ipa/nssdb/pwdfile.txt
cat /etc/dirsrv/slapd-VSS-VZBI-COM/pwdfile.txt

Save those out to text file somwhere and be ready to paste them in when asked.

For each name on each DB, type:
certutil -M -d /etc/ipa/nssdb -n "DigiCert Global G2 TLS RSA SHA256 2020 CA1 - 
DigiCert Inc" -t C,,
certutil -M -d /etc/ipa/nssdb -n "DigiCert Global Root G2 - DigiCert Inc" -t C,,

certutil -M -d /etc/dirsrv/slapd-VSS-VZBI-COM/ -n "CN=DigiCert Global Root 
G2,OU=www.digicert.com,O=DigiCert Inc,C=US" -t C,,
certutil -M -d /etc/dirsrv/slapd-VSS-VZBI-COM/ -n "CN=DigiCert Global G2 TLS 
RSA SHA256 2020 CA1,O=DigiCert Inc,C=US" -t C,,

and enter the appropriate password when asked for each.

Then, it looks the way I would rather enjoy it to look:

# certutil -L -d /etc/ipa/nssdb;certutil -L -d /etc/dirsrv/slapd-VSS-VZBI-COM   
                               

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

DigiCert Global G2 TLS RSA SHA256 2020 CA1 - DigiCert Inc    C,,  
DigiCert Global Root G2 - DigiCert Inc                       C,,  
VSS.VZBI.COM IPA CA                                          CT,C,C
CyberTrustRoot                                               C,,  
DigiCertCA                                                   C,,  

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US C,,  
CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US C,,  
Server-Cert                                                  u,u,u
VSS.VZBI.COM IPA CA                                          CT,C,C
CyberTrustRoot                                               C,,  
DigiCertCA                                                   C,,  

But, as soon as I ipa-certupdate, the changes are gone.   So, have a done 
something locally which needs to rather (or also?) happen up in the air.. in 
the LDAP, somehow?    Or, maybe it is because I did not do this from the 
Master?  Or,... are there more steps?
-- 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: 3rd-Party Root CA Stuck with No Trust Attributes

Reply via email to