On 03/10/2014 09:07 PM, Simo Sorce wrote: > On Mon, 2014-03-10 at 15:45 -0400, Robert Story wrote: >> On Mon, 10 Mar 2014 15:44:01 +0100 Jan wrote: >> JC> On 6.3.2014 05:42, Robert Story wrote: >> JC> > I'm trying to install on CentOS 6.5 (ipa-server-3.0.0-37.el6.x86_64) >> JC> > and an external CA. I'm getting this error: >> JC> > [snip] >> JC> Can you please run certutil -V on the issuer certificate >> JC> (CN=Certificate Authority,O=xxx)? That might give us a clue why it is >> JC> invalid. >> >> Unfortunately I've already scrapped that install and just went with the >> internal self-signed CA. So far, the only annoyance is that the webserver >> also presents a self-signed cert for the UI. Is it safe to replace just >> the web cert with a cert signed by my local CA? Or might that break >> something? > > Import the CA cert in your browser. > > Simo. >
Yup, in FreeIPA 4.0 even that step should not be needed given the system shared CA trust storage: https://fedorahosted.org/freeipa/ticket/3504 As for now, you can add the CA certificate also via convenience wizards in IPA UI too: http://vm-236.idm.lab.eng.brq.redhat.com/ipa/config/unauthorized.html Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users