Re: [Freeipa-users] External CA: Peer's certificate issuer has been marked as not trusted by the user
Hi, No-one has any idea here ? My Root Cert is installed OK. # certutil -d /etc/pki/pki-tomcat/alias/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-cau,u,u COMODOExternalCARoot C,C,C COMODORSADomainValidationSecureServerCA C,C,C Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-caCTu,Cu,Cu COMODORSAAddTrustCA C,C,C I hope this helps. Cheers, Matt 2016-10-01 17:04 GMT+02:00 Matt .: > Hi guys, > > I have installed successfully an external CA Certificate for > https/LDAP but now I get this on my ipa-commands: > > ipa domainlevel-get > > ipa: ERROR: cert validation failed for > "CN=*.mysubdomain.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain > Control Validated" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate > issuer has been marked as not trusted by the user.) > > What can cause this ? > > I'm on FreeIPA, version: 4.4.1 > > I hope we can sort this out. > > Thanks, > > Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] External CA: Peer's certificate issuer has been marked as not trusted by the user
Hi guys, I have installed successfully an external CA Certificate for https/LDAP but now I get this on my ipa-commands: ipa domainlevel-get ipa: ERROR: cert validation failed for "CN=*.mysubdomain.ipa.mydomain.tld,OU=PositiveSSL Wildcard,OU=Domain Control Validated" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.) What can cause this ? I'm on FreeIPA, version: 4.4.1 I hope we can sort this out. Thanks, Matt -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] External CA
Thanks for heads up. You mean by the difference between O=MW and O=MELTWATER.COM? Petr, is this possible? Can it be validated in the the installer if this is the root cause? Martin On 11/08/2013 01:55 AM, William Leese wrote: I was able to solve this by recreating my test CA. I believe the problem was with non-matching Organisation between the CSR and CA - but I dont have the knowledge to know if this is really required. Anyhow, things work, despite not having removed the -BEGIN CERTIFICATE- lines this time around. Thanks for the help and sorry for wasting your time! -- William Leese Production Engineer, Operations, Asia Pacific Meltwater Group m: +81 80 4946 0329 skype: william.leese1 w: meltwater.com This email and any attachment(s) is intended for and confidential to the addressee. If you are neither the addressee nor an authorized recipient for the addressee, please notify us of receipt, delete this message from your system and do not use, copy or disseminate the information in, or attached to it, in any way. Our messages are checked for viruses but please note that we do not accept liability for any viruses which may be transmitted in or with this message. On Thu, Nov 7, 2013 at 8:36 PM, Petr Viktorin pvikt...@redhat.com wrote: On 11/07/2013 08:34 AM, William Leese wrote: [root@vagrant-centos-6 CA]# cat /root/server.pem Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops, CN=vagrant.localdomain/__emailAddress=t...@t.com mailto:t...@t.com mailto:t...@t.com mailto:t...@t.com Validity Not Before: Nov 6 05:12:09 2013 GMT Not After : Nov 6 05:12:09 2014 GMT Subject: O=MELTWATER.COM http://MELTWATER.COM http://MELTWATER.COM, CN=Certificate Authority [snip] -BEGIN CERTIFICATE- MIIDfDCCAmSgAwIBAgIBAjANBgkqhk__iG9w0BAQUFADB5MQswCQYDVQQGEwJK __UDEL MAkGA1UECAwCVEsxDDAKBgNVBAcMA1__RLSzELMAkGA1UECgwCTVcxDDAKBgNV __BAsM A29wczEcMBoGA1UEAwwTdmFncmFudC__5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3 __DQEJ [snip] Try removing everything before the -BEGIN CERTIFICATE- line from the PEM. Well that was unexpected: removing the BEGIN Certificate / End lines now makes the install proceed up until: The log file for this installation can be found in /var/log/ipaserver-install.log The PKCS#10 certificate is not signed by the external CA (unknown issuer E=x...@x.com mailto:x...@x.com,CN=vagrant-centos-6,OU=JP,O=JP,L=JP,ST= JP,C=JP). Can you please post more (all) of /var/lig/ipaserver-install.log? We need to know where exactly the issue is occuring and what the traceback is. Do I need to do anything to make my freshly created internal CA trusted for the installation? I've tried the usual magic in /etc/pki/tls/certs, but to no avail. No, --external_ca_file should have been enough. -- Petrł ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] External CA
You mean by the difference between O=MW and O=MELTWATER.COM? Yes, but again I don't know for sure. I wasn't very diligent setting up my test CA. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] External CA
On 11/08/2013 09:01 AM, Martin Kosek wrote: Thanks for heads up. You mean by the difference between O=MW and O=MELTWATER.COM? Petr, is this possible? Can it be validated in the the installer if this is the root cause? It is possible. It's hard to tell without the logs; looks like the failure was inside Dogtag. There may be more issues; for instance I don't think we considered PEM files with extra data before the BEGIN CERTIFICATE. I filed a ticket to investigate: https://fedorahosted.org/freeipa/ticket/4019 On 11/08/2013 01:55 AM, William Leese wrote: I was able to solve this by recreating my test CA. I believe the problem was with non-matching Organisation between the CSR and CA - but I dont have the knowledge to know if this is really required. Anyhow, things work, despite not having removed the -BEGIN CERTIFICATE- lines this time around. Thanks for the help and sorry for wasting your time! -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] External CA
On 11/08/2013 04:56 AM, Petr Viktorin wrote: On 11/08/2013 09:01 AM, Martin Kosek wrote: Thanks for heads up. You mean by the difference between O=MW and O=MELTWATER.COM? Petr, is this possible? Can it be validated in the the installer if this is the root cause? Thats a good question. Typically with cert validation only the CN component in the subject is cross checked. More aggressive validators are free to examine all RDN's in the subject (not sure what the PKIX behavior is with respect other RDN's). Of course this isn't cert validation but validating a CSR is closely related. The first place I would look is the Dogtag policy. It is possible. It's hard to tell without the logs; looks like the failure was inside Dogtag. There may be more issues; for instance I don't think we considered PEM files with extra data before the BEGIN CERTIFICATE. I filed a ticket to investigate: https://fedorahosted.org/freeipa/ticket/4019 FWIW I've authored a set of Python utilities to work with pem files for OpenStack. They work just fine with PEM blocks embedded with non-PEM text. I was thinking the utilities would also be useful in FreeIPA (in fact my experience in IPA is what guided the development of these utilities. I'll try to get them up in a git repo shortly and send a pointer. -- John ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] External CA
On 11/07/2013 08:34 AM, William Leese wrote: [root@vagrant-centos-6 CA]# cat /root/server.pem Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops, CN=vagrant.localdomain/__emailAddress=t...@t.com mailto:t...@t.com mailto:t...@t.com mailto:t...@t.com Validity Not Before: Nov 6 05:12:09 2013 GMT Not After : Nov 6 05:12:09 2014 GMT Subject: O=MELTWATER.COM http://MELTWATER.COM http://MELTWATER.COM, CN=Certificate Authority [snip] -BEGIN CERTIFICATE- MIIDfDCCAmSgAwIBAgIBAjANBgkqhk__iG9w0BAQUFADB5MQswCQYDVQQGEwJK__UDEL MAkGA1UECAwCVEsxDDAKBgNVBAcMA1__RLSzELMAkGA1UECgwCTVcxDDAKBgNV__BAsM A29wczEcMBoGA1UEAwwTdmFncmFudC__5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3__DQEJ [snip] Try removing everything before the -BEGIN CERTIFICATE- line from the PEM. Well that was unexpected: removing the BEGIN Certificate / End lines now makes the install proceed up until: The log file for this installation can be found in /var/log/ipaserver-install.log The PKCS#10 certificate is not signed by the external CA (unknown issuer E=x...@x.com mailto:x...@x.com,CN=vagrant-centos-6,OU=JP,O=JP,L=JP,ST=JP,C=JP). Can you please post more (all) of /var/lig/ipaserver-install.log? We need to know where exactly the issue is occuring and what the traceback is. Do I need to do anything to make my freshly created internal CA trusted for the installation? I've tried the usual magic in /etc/pki/tls/certs, but to no avail. No, --external_ca_file should have been enough. -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] External CA
I was able to solve this by recreating my test CA. I believe the problem was with non-matching Organisation between the CSR and CA - but I dont have the knowledge to know if this is really required. Anyhow, things work, despite not having removed the -BEGIN CERTIFICATE- lines this time around. Thanks for the help and sorry for wasting your time! -- William Leese Production Engineer, Operations, Asia Pacific Meltwater Group m: +81 80 4946 0329 skype: william.leese1 w: meltwater.com This email and any attachment(s) is intended for and confidential to the addressee. If you are neither the addressee nor an authorized recipient for the addressee, please notify us of receipt, delete this message from your system and do not use, copy or disseminate the information in, or attached to it, in any way. Our messages are checked for viruses but please note that we do not accept liability for any viruses which may be transmitted in or with this message. On Thu, Nov 7, 2013 at 8:36 PM, Petr Viktorin pvikt...@redhat.com wrote: On 11/07/2013 08:34 AM, William Leese wrote: [root@vagrant-centos-6 CA]# cat /root/server.pem Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops, CN=vagrant.localdomain/__emailAddress=t...@t.com mailto:t...@t.com mailto:t...@t.com mailto:t...@t.com Validity Not Before: Nov 6 05:12:09 2013 GMT Not After : Nov 6 05:12:09 2014 GMT Subject: O=MELTWATER.COM http://MELTWATER.COM http://MELTWATER.COM, CN=Certificate Authority [snip] -BEGIN CERTIFICATE- MIIDfDCCAmSgAwIBAgIBAjANBgkqhk__iG9w0BAQUFADB5MQswCQYDVQQGEwJK __UDEL MAkGA1UECAwCVEsxDDAKBgNVBAcMA1__RLSzELMAkGA1UECgwCTVcxDDAKBgNV __BAsM A29wczEcMBoGA1UEAwwTdmFncmFudC__5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3 __DQEJ [snip] Try removing everything before the -BEGIN CERTIFICATE- line from the PEM. Well that was unexpected: removing the BEGIN Certificate / End lines now makes the install proceed up until: The log file for this installation can be found in /var/log/ipaserver-install.log The PKCS#10 certificate is not signed by the external CA (unknown issuer E=x...@x.com mailto:x...@x.com,CN=vagrant-centos-6,OU=JP,O=JP,L=JP,ST= JP,C=JP). Can you please post more (all) of /var/lig/ipaserver-install.log? We need to know where exactly the issue is occuring and what the traceback is. Do I need to do anything to make my freshly created internal CA trusted for the installation? I've tried the usual magic in /etc/pki/tls/certs, but to no avail. No, --external_ca_file should have been enough. -- Petrł ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] External CA
On 11/06/2013 06:32 AM, William Leese wrote: Hi, Trying to install freeIPA and have it a sub-ca of an existing one. Sadly I'm not getting anywhere. The version I have installed: ipa-server-3.0.0-26.el6_4.4.x86_64 This is what I run: ipa-server-install -U -a testtest -p testtest --external_cert_file=/root/server.pem --external_ca_file=/root/cacert.pem -p testtest -P testtest -r MELTWATER.COM http://MELTWATER.COM Which runs this as part of the process: /usr/bin/pkisilent ConfigureCA -cs_hostname vagrant-centos-6.meltwater.com http://vagrant-centos-6.meltwater.com -cs_port 9445 -client_certdb_dir /tmp/tmp-bOrwSu -client_certdb_pwd testtest -preop_pin 4hdia3IvPvf27Qo7kBbO -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password testtest -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MELTWATER.COM http://MELTWATER.COM -ldap_host vagrant-centos-6.meltwater.com http://vagrant-centos-6.meltwater.com -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password testtest -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd testtest -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MELTWATER.COM http://MELTWATER.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O=MELTWATER.COM http://MELTWATER.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MELTWATER.COM http://MELTWATER.COM -ca_server_cert_subject_name CN=vagrant-centos-6.meltwater.com http://vagrant-centos-6.meltwater.com,O=MELTWATER.COM http://MELTWATER.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O=MELTWATER.COM http://MELTWATER.COM -ca_sign_cert_subject_name CN=Certificate Authority,O=MELTWATER.COM http://MELTWATER.COM -external true -ext_ca_cert_file /root/server.pem -ext_ca_cert_chain_file /root/cacert.pem All this results in this in the log: errorStringFailed to create pkcs12 file./errorString [snip] Error in BackupPanel(): updateStatus value is null ERROR: ConfigureCA: BackupPanel() failure ERROR: unable to create CA Can you attach the full error from the log? Interestingly adding the option -save_p12 false to the pkisilent command above results in: importCert string: importing with nickname: ipa-ca-agent Already logged into to DB ERROR:exception importing cert Security library failed to decode certificate package: (-8183) security library: improperly formatted DER-encoded message. ERROR: AdminCertImportPanel() during cert import ERROR: ConfigureCA: AdminCertImportPanel() failure ERROR: unable to create CA While the option change seemed innocent, I honestly don't know if its crucial to the install or not. Anyhow, things don't really progress anyway. I followed the documentation by signing the /root/ipa.csr with a test, internal CA but somehow I can't get the install to proceed. [root@vagrant-centos-6 CA]# cat /root/server.pem Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops, CN=vagrant.localdomain/emailAddress=t...@t.com mailto:t...@t.com Validity Not Before: Nov 6 05:12:09 2013 GMT Not After : Nov 6 05:12:09 2014 GMT Subject: O=MELTWATER.COM http://MELTWATER.COM, CN=Certificate Authority [snip] -BEGIN CERTIFICATE- MIIDfDCCAmSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJKUDEL MAkGA1UECAwCVEsxDDAKBgNVBAcMA1RLSzELMAkGA1UECgwCTVcxDDAKBgNVBAsM A29wczEcMBoGA1UEAwwTdmFncmFudC5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3DQEJ [snip] Try removing everything before the -BEGIN CERTIFICATE- line from the PEM. [root@vagrant-centos-6 CA]# cat /root/cacert.pem -BEGIN CERTIFICATE- MIIDxTCCAq2gAwIBAgIJALIzKeNrwx2lMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNV BAYTAkpQMQswCQYDVQQIDAJUSzEMMAoGA1UEBwwDVEtLMQswCQYDVQQKDAJNVzEM MAoGA1UECwwDb3BzMRwwGgYD [snip] Any help would be welcome. -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] External CA
Hi, Trying to install freeIPA and have it a sub-ca of an existing one. Sadly I'm not getting anywhere. The version I have installed: ipa-server-3.0.0-26.el6_4.4.x86_64 This is what I run: ipa-server-install -U -a testtest -p testtest --external_cert_file=/root/server.pem --external_ca_file=/root/cacert.pem -p testtest -P testtest -r MELTWATER.COM Which runs this as part of the process: /usr/bin/pkisilent ConfigureCA -cs_hostname vagrant-centos-6.meltwater.com-cs_port 9445 -client_certdb_dir /tmp/tmp-bOrwSu -client_certdb_pwd testtest -preop_pin 4hdia3IvPvf27Qo7kBbO -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password testtest -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=MELTWATER.COM -ldap_host vagrant-centos-6.meltwater.com-ldap_port 7389 -bind_dn cn=Directory Manager -bind_password testtest -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd testtest -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O= MELTWATER.COM -ca_subsystem_cert_subject_name CN=CA Subsystem,O= MELTWATER.COM -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=MELTWATER.COM -ca_server_cert_subject_name CN=vagrant-centos-6.meltwater.com,O= MELTWATER.COM -ca_audit_signing_cert_subject_name CN=CA Audit,O= MELTWATER.COM -ca_sign_cert_subject_name CN=Certificate Authority,O= MELTWATER.COM -external true -ext_ca_cert_file /root/server.pem -ext_ca_cert_chain_file /root/cacert.pem All this results in this in the log: errorStringFailed to create pkcs12 file./errorString [snip] Error in BackupPanel(): updateStatus value is null ERROR: ConfigureCA: BackupPanel() failure ERROR: unable to create CA Interestingly adding the option -save_p12 false to the pkisilent command above results in: importCert string: importing with nickname: ipa-ca-agent Already logged into to DB ERROR:exception importing cert Security library failed to decode certificate package: (-8183) security library: improperly formatted DER-encoded message. ERROR: AdminCertImportPanel() during cert import ERROR: ConfigureCA: AdminCertImportPanel() failure ERROR: unable to create CA While the option change seemed innocent, I honestly don't know if its crucial to the install or not. Anyhow, things don't really progress anyway. I followed the documentation by signing the /root/ipa.csr with a test, internal CA but somehow I can't get the install to proceed. [root@vagrant-centos-6 CA]# cat /root/server.pem Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=JP, ST=TK, L=TKK, O=MW, OU=ops, CN=vagrant.localdomain/emailAddress=t...@t.com Validity Not Before: Nov 6 05:12:09 2013 GMT Not After : Nov 6 05:12:09 2014 GMT Subject: O=MELTWATER.COM, CN=Certificate Authority [snip] -BEGIN CERTIFICATE- MIIDfDCCAmSgAwIBAgIBAjANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJKUDEL MAkGA1UECAwCVEsxDDAKBgNVBAcMA1RLSzELMAkGA1UECgwCTVcxDDAKBgNVBAsM A29wczEcMBoGA1UEAwwTdmFncmFudC5sb2NhbGRvbWFpbjEWMBQGCSqGSIb3DQEJ [snip] [root@vagrant-centos-6 CA]# cat /root/cacert.pem -BEGIN CERTIFICATE- MIIDxTCCAq2gAwIBAgIJALIzKeNrwx2lMA0GCSqGSIb3DQEBBQUAMHkxCzAJBgNV BAYTAkpQMQswCQYDVQQIDAJUSzEMMAoGA1UEBwwDVEtLMQswCQYDVQQKDAJNVzEM MAoGA1UECwwDb3BzMRwwGgYD [snip] Any help would be welcome. -- William Leese Production Engineer, Operations, Asia Pacific Meltwater Group m: +81 80 4946 0329 skype: william.leese1 w: meltwater.com This email and any attachment(s) is intended for and confidential to the addressee. If you are neither the addressee nor an authorized recipient for the addressee, please notify us of receipt, delete this message from your system and do not use, copy or disseminate the information in, or attached to it, in any way. Our messages are checked for viruses but please note that we do not accept liability for any viruses which may be transmitted in or with this message. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] external CA install problem
On 07/25/2013 04:06 PM, Armstrong, Kenneth Lawrence wrote: On Fri, 2013-07-19 at 17:44 -0400, Dmitri Pal wrote: On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote: I'm trying to install an IPA server using an external CA. I ran the ipa-server-install --external-ca command, and got my cert signed by our on-site CA. So then I go back to install using my certs: ipa-server-install --external_cert_file=/root/ipa.cer --external_ca_file=/root/CACert.cer I get this for output: Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_server_! cert_subje ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255 Configuration of CA failed [root@lnxrealmtest01mailto:root@lnxrealmtest01 ~]# tail /var/log/ipaserver-install.log File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 617, in configure_instanceConfiguring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_server_! cert_subje ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255 Configuration of CA failed [root@lnxrealmtest01mailto:root@lnxrealmtest01 ~]# tail /var/log/ipaserver-install.log File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 617, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 879, in __configure_instance raise RuntimeError('Configuration of CA failed') 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed self.start_creation(runtime=210) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 879, in __configure_instance raise RuntimeError('Configuration of CA failed') 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed Any thoughts on
Re: [Freeipa-users] external CA install problem
Armstrong, Kenneth Lawrence wrote: On Thu, 2013-07-25 at 16:22 +0200, Martin Kosek wrote: On 07/25/2013 04:06 PM, Armstrong, Kenneth Lawrence wrote: On Fri, 2013-07-19 at 17:44 -0400, Dmitri Pal wrote: On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote: I'm trying to install an IPA server using an external CA. I ran the ipa-server-install --external-ca command, and got my cert signed by our on-site CA. So then I go back to install using my certs: ipa-server-install --external_cert_file=/root/ipa.cer --external_ca_file=/root/CACert.cer I get this for output: Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_serv! er_! cert_subje ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255 Configuration of CA failed [root@lnxrealmtest01mailto:root@lnxrealmtest01 ~]# tail /var/log/ipaserver-install.log File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 617, in configure_instanceConfiguring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_serv! er_! cert_subje ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255 Configuration of CA failed [root@lnxrealmtest01mailto:root@lnxrealmtest01 ~]# tail /var/log/ipaserver-install.log File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 617, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 879, in __configure_instance raise RuntimeError('Configuration of CA failed') 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed self.start_creation(runtime=210) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 879, in __configure_instance raise RuntimeError('Configuration of CA failed') 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError:
Re: [Freeipa-users] external CA install problem
On Thu, 2013-07-25 at 11:51 -0400, Rob Crittenden wrote: Armstrong, Kenneth Lawrence wrote: On Thu, 2013-07-25 at 16:22 +0200, Martin Kosek wrote: On 07/25/2013 04:06 PM, Armstrong, Kenneth Lawrence wrote: On Fri, 2013-07-19 at 17:44 -0400, Dmitri Pal wrote: On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote: I'm trying to install an IPA server using an external CA. I ran the ipa-server-install --external-ca command, and got my cert signed by our on-site CA. So then I go back to install using my certs: ipa-server-install --external_cert_file=/root/ipa.cer --external_ca_file=/root/CACert.cer I get this for output: Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_serv! er_! cert_subje ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255 Configuration of CA failed [root@lnxrealmtest01mailto:root@lnxrealmtest01 ~]# tail /var/log/ipaserver-install.log File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 617, in configure_instanceConfiguring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_serv! er_! cert_subje ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255 Configuration of CA failed [root@lnxrealmtest01mailto:root@lnxrealmtest01 ~]# tail /var/log/ipaserver-install.log File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 617, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 879, in __configure_instance raise RuntimeError('Configuration of CA failed') 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed self.start_creation(runtime=210) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File
Re: [Freeipa-users] external CA install problem
On 07/25/2013 06:53 PM, Armstrong, Kenneth Lawrence wrote: On Thu, 2013-07-25 at 11:51 -0400, Rob Crittenden wrote: Armstrong, Kenneth Lawrence wrote: On Thu, 2013-07-25 at 16:22 +0200, Martin Kosek wrote: On 07/25/2013 04:06 PM, Armstrong, Kenneth Lawrence wrote: On Fri, 2013-07-19 at 17:44 -0400, Dmitri Pal wrote: On 07/19/2013 01:11 PM, Armstrong, Kenneth Lawrence wrote: I'm trying to install an IPA server using an external CA. I ran the ipa-server-install --external-ca command, and got my cert signed by our on-site CA. So then I go back to install using my certs: ipa-server-install --external_cert_file=/root/ipa.cer --external_ca_file=/root/CACert.cer I get this for output: Configuring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_s! erv! er_! cert_subje ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255 Configuration of CA failed [root@lnxrealmtest01mailto:root@lnxrealmtest01 ~]# tail /var/log/ipaserver-install.log File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 617, in configure_instanceConfiguring certificate server (pki-cad): Estimated time 3 minutes 30 seconds [1/20]: creating certificate server user [2/20]: configuring certificate server instance ipa : CRITICAL failed to configure ca instance Command '/usr/bin/perl /usr/bin/pkisilent ConfigureCA -cs_hostname lnxrealmtest01.liberty.edu -cs_port 9445 -client_certdb_dir /tmp/tmp-cQZB3x -client_certdb_pwd -preop_pin nio5yPeVonEn0tWotyjC -domain_name IPA -admin_user admin -admin_email root@localhost -admin_password -agent_name ipa-ca-agent -agent_key_size 2048 -agent_key_type rsa -agent_cert_subject CN=ipa-ca-agent,O=LNXREALMTEST.LIBERTY.EDU -ldap_host lnxrealmtest01.liberty.edu -ldap_port 7389 -bind_dn cn=Directory Manager -bind_password -base_dn o=ipaca -db_name ipaca -key_size 2048 -key_type rsa -key_algorithm SHA256withRSA -save_p12 true -backup_pwd -subsystem_name pki-cad -token_name internal -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_subsystem_cert_subject_name CN=CA Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_ocsp_cert_subject_name CN=OCSP Subsystem,O=LNXREALMTEST.LIBERTY.EDU -ca_s! erv! er_! cert_subje ct_name CN=lnxrealmtest01.liberty.edu,O=LNXREALMTEST.LIBERTY.EDU -ca_audit_signing_cert_subject_name CN=CA Audit,O=LNXREALMTEST.LIBERTY.EDU -ca_sign_cert_subject_name CN=Certificate Authority,O=LNXREALMTEST.LIBERTY.EDU -external true -ext_ca_cert_file /root/ipa.cer -ext_ca_cert_chain_file /root/CACert.cer -clone false' returned non-zero exit status 255 Configuration of CA failed [root@lnxrealmtest01mailto:root@lnxrealmtest01 ~]# tail /var/log/ipaserver-install.log File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 617, in configure_instance self.start_creation(runtime=210) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 879, in __configure_instance raise RuntimeError('Configuration of CA failed') 2013-07-19T17:02:51Z INFO The ipa-server-install command failed, exception: RuntimeError: Configuration of CA failed self.start_creation(runtime=210) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/cainstance.py, line 879, in
Re: [Freeipa-users] --external-ca is a bit confusing.
On 02/20/2013 10:20 PM, Kendrick . wrote: I am trying to get cacert to sign the csr. I have tried searching about it and cant figure out what is what. some information i have found suggests it wont be possible. when I go to get the csr signed i get The following hostnames were rejected because the system couldn't link them to your account, if they are valid please verify the domains against your account. Rejected: Certificate Authority https://www.cacert.org/account.php?id=7newdomain=Certificate%20Authority I would prefer my certificates to be valid on the internet as some of the user certs would be used to sign emails and such. any advice would be appriciated. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Can you please be more specific about what you are doing? The linking to the external CA is one time operation during the initial installation. If you want to use the IPA as a subordinate CA you need to specify a flag during installation (it seems that you are doing that based on the comments above). The installation will stop indicating that you need to take CSR and sign by the external CA. So you should take the CSR and sign. Then you present the result back to IPA and continue the installation. Based on the description above it is not clear which step is failing. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] --external-ca is a bit confusing.
It is part of my initial setup. I copied the ipa.csr in to cacert's signing system so that the certificates would be valid outside of my local domain. and it errors because the host information said certificate authority instead of the host name if I understand that error mesage properly. I am trying to get the csr to provide all the information needed by cacerts free signing service. I was expecting to be able to use the user certificates that freeipa makes to sign emails and such that would go externally. - - *From*: Dmitri Pal dpal redhat com - *To*: freeipa-users redhat com - *Subject*: Re: [Freeipa-users] --external-ca is a bit confusing. - *Date*: Thu, 21 Feb 2013 03:30:45 -0500 -- On 02/20/2013 10:20 PM, Kendrick . wrote: I am trying to get cacert to sign the csr. I have tried searching about it and cant figure out what is what. some information i have found suggests it wont be possible. when I go to get the csr signed i get The following hostnames were rejected because the system couldn't link them to your account, if they are valid please verify the domains against your account. Rejected: Certificate Authorityhttps://www.cacert.org/account.php?id=7newdomain=Certificate%20Authority I would prefer my certificates to be valid on the internet as some of the user certs would be used to sign emails and such. any advice would be appriciated. ___ Freeipa-users mailing listFreeipa-users redhat comhttps://www.redhat.com/mailman/listinfo/freeipa-users Can you please be more specific about what you are doing? The linking to the external CA is one time operation during the initial installation. If you want to use the IPA as a subordinate CA you need to specify a flag during installation (it seems that you are doing that based on the comments above). The installation will stop indicating that you need to take CSR and sign by the external CA. So you should take the CSR and sign. Then you present the result back to IPA and continue the installation. Based on the description above it is not clear which step is failing. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] --external-ca is a bit confusing.
On 02/21/2013 07:23 PM, Kendrick . wrote: It is part of my initial setup. I copied the ipa.csr in to cacert's signing system so that the certificates would be valid outside of my local domain. and it errors because the host information said certificate authority instead of the host name if I understand that error mesage properly. I am trying to get the csr to provide all the information needed by cacerts free signing service. I was expecting to be able to use the user certificates that freeipa makes to sign emails and such that would go externally. The CA will only sign a cert for a domain registered to you. To see what domain the CSR is for dump it's contents using openssl, for example: openssl req -in ipa.csr -noout -text Does the CN in the subject match the domain you registered with cacert.org? If not it's not going to sign it. But wait, there's more, you're not just asking cacert to sign a plain cert you're asking it to sign a CA cert effectively creating a sub-CA of cacert. That means with that cert you can issue new certs and cacert will vouch for them, but of course they can't control who you're issuing certs to which is a significant security issue. This FAQ entry from cacert will help clarify: http://wiki.cacert.org/SubRoot -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] --external-ca is a bit confusing.
I am trying to get cacert to sign the csr. I have tried searching about it and cant figure out what is what. some information i have found suggests it wont be possible. when I go to get the csr signed i get The following hostnames were rejected because the system couldn't link them to your account, if they are valid please verify the domains against your account. Rejected: Certificate Authorityhttps://www.cacert.org/account.php?id=7newdomain=Certificate%20Authority I would prefer my certificates to be valid on the internet as some of the user certs would be used to sign emails and such. any advice would be appriciated. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users