Hi, On Mon, Mar 17, 2025 at 6:45 AM Raymond Spangle via FreeIPA-users < [email protected]> wrote:
> I have been able to actually change those values to "C,," on one server, > using the old certutil command, but as soon as I ipa-certupdate, they are > reverted back to ",," . I am still missing something. > > Here is what I did that seemed to work, until reverting: > > You need the names of the certs from these commands: > certutil -L -d /etc/ipa/nssdb > certutil -L -d /etc/dirsrv/slapd-VSS-VZBI-COM > > You need to get the NSS DB passwords from the pwdfile.txt files in those > two directories: > > cat /etc/ipa/nssdb/pwdfile.txt > cat /etc/dirsrv/slapd-VSS-VZBI-COM/pwdfile.txt > > Save those out to text file somwhere and be ready to paste them in when > asked. > > For each name on each DB, type: > certutil -M -d /etc/ipa/nssdb -n "DigiCert Global G2 TLS RSA SHA256 2020 > CA1 - DigiCert Inc" -t C,, > certutil -M -d /etc/ipa/nssdb -n "DigiCert Global Root G2 - DigiCert Inc" > -t C,, > > certutil -M -d /etc/dirsrv/slapd-VSS-VZBI-COM/ -n "CN=DigiCert Global Root > G2,OU=www.digicert.com,O=DigiCert Inc,C=US" -t C,, > certutil -M -d /etc/dirsrv/slapd-VSS-VZBI-COM/ -n "CN=DigiCert Global G2 > TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US" -t C,, > > and enter the appropriate password when asked for each. > > Then, it looks the way I would rather enjoy it to look: > > # certutil -L -d /etc/ipa/nssdb;certutil -L -d > /etc/dirsrv/slapd-VSS-VZBI-COM > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > DigiCert Global G2 TLS RSA SHA256 2020 CA1 - DigiCert Inc C,, > DigiCert Global Root G2 - DigiCert Inc C,, > VSS.VZBI.COM IPA CA CT,C,C > CyberTrustRoot C,, > DigiCertCA C,, > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US C,, > CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US C,, > Server-Cert u,u,u > VSS.VZBI.COM IPA CA CT,C,C > CyberTrustRoot C,, > DigiCertCA C,, > > But, as soon as I ipa-certupdate, the changes are gone. So, have a done > something locally which needs to rather (or also?) happen up in the air.. > in the LDAP, somehow? Or, maybe it is because I did not do this from the > Master? Or,... are there more steps? > Can you provide the output of ldapsearch -D "cn=directory manager" -W -b cn=certificates,cn=ipa,cn=etc,<your suffix> The attributes ipaKeyExtUsage and ipaKeyTrust should reflect the trust flags. flo -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
