Florence Blanc-Renaud wrote: > Hi, > Can you provide the output of > ldapsearch -D "cn=directory manager" -W -b > cn=certificates,cn=ipa,cn=etc,<your suffix> > The attributes ipaKeyExtUsage and ipaKeyTrust should reflect the trust > flags. > flo
Certainly, thanks for assisting! (I've shortened the key and crt strings for ease of reading). # ldapsearch -D "cn=directory manager" -W -b cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # certificates, ipa, etc, vss.vzbi.com dn: cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com cn: certificates objectClass: nsContainer objectClass: top # VSS.VZBI.COM IPA CA, certificates, ipa, etc, vss.vzbi.com dn: cn=VSS.VZBI.COM IPA CA,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com ipaCertIssuerSerial: CN=Certificate Authority,O=VSS.VZBI.COM;1 cn: VSS.VZBI.COM IPA CA ipaConfigString: ipaCa ipaConfigString: compatCA cACertificate;binary:: MIIEjjCCA...lMlosLouG65 objectClass: ipaCertificate objectClass: pkiCA objectClass: ipaKeyPolicy objectClass: top ipaPublicKey:: MIIBojANB...UPAgMBAAE= ipaKeyTrust: trusted ipaCertSubject: CN=Certificate Authority,O=VSS.VZBI.COM ipaKeyExtUsage: 1.3.6.1.5.5.7.3.4 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.3 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.2 # CyberTrustRoot, certificates, ipa, etc, vss.vzbi.com dn: cn=CyberTrustRoot,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 ipaKeyTrust: trusted cACertificate;binary:: MIIDdzCCAl+g...V/OeBHRnDJELqYzmp ipaPublicKey:: MIIBIjANB...aOQIDAQAB ipaCertIssuerSerial: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C= IE;33554617 ipaCertSubject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE cn: CyberTrustRoot objectClass: ipaCertificate objectClass: pkiCA objectClass: ipaKeyPolicy objectClass: top # DigiCertCA, certificates, ipa, etc, vss.vzbi.com dn: cn=DigiCertCA,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 ipaKeyTrust: trusted cACertificate;binary:: MIIE4DCCA8i...yLVj6fexOFpmA== ipaPublicKey:: MIIBIjANB...nPQIDAQAB ipaCertIssuerSerial: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C= IE;13967229389238126287638511701440740160 ipaCertSubject: CN=DigiCert Baltimore TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C =US cn: DigiCertCA objectClass: ipaCertificate objectClass: pkiCA objectClass: ipaKeyPolicy objectClass: top # DigiCert Global G2 TLS RSA SHA256 2020 CA1 - DigiCert Inc, certificates, ipa, etc, vss.vzbi.com dn: cn=DigiCert Global G2 TLS RSA SHA256 2020 CA1 - DigiCert Inc,cn=certificat es,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com objectClass: ipaCertificate objectClass: pkiCA objectClass: ipaKeyPolicy objectClass: top cn: DigiCert Global G2 TLS RSA SHA256 2020 CA1 - DigiCert Inc ipaCertSubject: CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C =US ipaCertIssuerSerial: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US;17226682543955925492517929723242541158 ipaPublicKey:: MIIBIjANBgk...QIDAQAB cACertificate;binary:: MIIEyDCC...51b2EQJ8HmA== ipaKeyExtUsage: 1.3.6.1.4.1.3319.6.10.16 # DigiCert Global Root G2 - DigiCert Inc, certificates, ipa, etc, vss.vzbi.com dn: cn=DigiCert Global Root G2 - DigiCert Inc,cn=certificates,cn=ipa,cn=etc,dc =vss,dc=vzbi,dc=com ipaKeyTrust: trusted ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.3 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.4 ipaKeyExtUsage: 1.3.6.1.5.5.7.3.2 objectClass: ipaCertificate objectClass: pkiCA objectClass: ipaKeyPolicy objectClass: top cn: DigiCert Global Root G2 - DigiCert Inc ipaCertSubject: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc, C=US ipaCertIssuerSerial: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US;4293743540046975378534879503202253541 ipaPublicKey:: MIIBIjANB...4MphQIDAQAB cACertificate;binary:: MIIDjjCC...zNTflMrY= # CN\3DBaltimore CyberTrust Root\2COU\3DCyberTrust\2CO\3DBaltimore\2CC\3DIE, ce rtificates, ipa, etc, vss.vzbi.com dn: cn=CN\3DBaltimore CyberTrust Root\2COU\3DCyberTrust\2CO\3DBaltimore\2CC\3D IE,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com objectClass: ipaCertificate objectClass: pkiCA objectClass: ipaKeyPolicy objectClass: top cn: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE ipaCertSubject: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE ipaCertIssuerSerial: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C= IE;33554617 ipaPublicKey:: MIIBIjANB...QIDAQAB cACertificate;binary:: MIIDdzCCAl...jzV/OeBHRnDJELqYzmp ipaKeyTrust: trusted ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 # CN\3DDigiCert Baltimore TLS RSA SHA256 2020 CA1\2CO\3DDigiCert Inc\2CC\3DUS, certificates, ipa, etc, vss.vzbi.com dn: cn=CN\3DDigiCert Baltimore TLS RSA SHA256 2020 CA1\2CO\3DDigiCert Inc\2CC\ 3DUS,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com objectClass: ipaCertificate objectClass: pkiCA objectClass: ipaKeyPolicy objectClass: top cn: CN=DigiCert Baltimore TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US ipaCertSubject: CN=DigiCert Baltimore TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C =US ipaCertIssuerSerial: CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C= IE;13967229389238126287638511701440740160 ipaPublicKey:: MIIBIjANB...nPQIDAQAB cACertificate;binary:: MIIE4D...fexOFpmA== ipaKeyTrust: trusted ipaKeyExtUsage: 1.3.6.1.5.5.7.3.1 # CN\3DDigiCert Global G2 TLS RSA SHA256 2020 CA1\2CO\3DDigiCert Inc\2CC\3DUS, certificates, ipa, etc, vss.vzbi.com dn: cn=CN\3DDigiCert Global G2 TLS RSA SHA256 2020 CA1\2CO\3DDigiCert Inc\2CC\ 3DUS,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com objectClass: ipaCertificate objectClass: pkiCA objectClass: ipaKeyPolicy objectClass: top cn: CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US ipaCertSubject: CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C =US ipaCertIssuerSerial: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US;17226682543955925492517929723242541158 ipaPublicKey:: MIIBIjA...poQIDAQAB cACertificate;binary:: MIIEyDCCA7...1b2EQJ8HmA== ipaKeyExtUsage: 1.3.6.1.4.1.3319.6.10.16 # CN\3DDigiCert Global Root G2\2COU\3Dwww.digicert.com\2CO\3DDigiCert Inc\2CC\3 DUS, certificates, ipa, etc, vss.vzbi.com dn: cn=CN\3DDigiCert Global Root G2\2COU\3Dwww.digicert.com\2CO\3DDigiCert Inc \2CC\3DUS,cn=certificates,cn=ipa,cn=etc,dc=vss,dc=vzbi,dc=com objectClass: ipaCertificate objectClass: pkiCA objectClass: ipaKeyPolicy objectClass: top cn: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US ipaCertSubject: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc, C=US ipaCertIssuerSerial: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US;4293743540046975378534879503202253541 ipaPublicKey:: MIIBIjAN...QIDAQAB cACertificate;binary:: MIIDjjCC...NTflMrY= ipaKeyExtUsage: 1.3.6.1.4.1.3319.6.10.16 # search result search: 2 result: 0 Success # numResponses: 11 # numEntries: 10 -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
