[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

Thu, 19 Mar 2020 02:56:13 -0700 

On Wed, Mar 18, 2020 at 10:42:52AM -0000, Hristina Marosevic wrote:
> > On Tue, Mar 17, 2020 at 02:17:06PM -0000, Hristina Marosevic wrote:
> > 
> > Hi,
> > 
> > about 'certificate_verification = no_verification', there is an issue
> > which was fixed by
> > https://pagure.io/SSSD/sssd/c/31ebf912d6426aea446b2bdae919d4e33b0c95be
> > but the fix is not in the build you are using. So better continue with
> > 'certificate_verification = no_ocsp'.
> > 
> > 
> > Please add all CA certificates to the NSS database /etc/pki/nssdb with
> > the help of the certutil command:
> > 
> >     certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d
> > /etc/pki/nssdb
> > 
> > each CA certificate should get an individual nickname. If your
> > CA_cert_file is in PEM format (with BEGIN CERTIFICATE and END
> > CERTIFICATE lines) you might need to add a '-a' option as well.
> > 
> > If there are still issues please send the strace output.
> > 
> > HTH
> > 
> > bye,
> > Sumit
> 
> 
> Hello, 
> 
> I just tried to add the certificates (intermediate and root CA) to the 
> database and I got the error: "certutil: function failed: 
> SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, 
> unsupported format." for each one.

Hi,

can you send the output of

    ls -al /etc/pki/nssdb

and

    certutil -L -d /etc/pki/nssdb -h all

bye,
Sumit

> 
> The confirugation in sssd is still not changed and no other step is executed 
> due to this error. I think it is important to solve this problem first, and 
> that this one is not related to the sssd configuration and option 
> certificate_verification in the config file. 
> Can you propose me a solution for this? 
> 
> 
> BR,
> Hristina
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

Reply via email to