On Fri, Mar 11, 2022 at 09:59:48PM -0800, Tyrell Jentink via FreeIPA-users wrote: > I am primarily a Linux admin, and this might be a Windows problem... In > fact, this might not even be the right forum for me to be asking this > question, but I don't know which Windows forum would give me the time of > day, so I'm here... I might also try some Windows Reddit groups... :p The > following domain names are obscured to protect the wicked; I know not to > use fake domains ;) > > I have an IPA server called dc.domain.local, an ActiveDirectory Directory > Server called pdc.win.domain.local, and a ActiveDirectory Certificate > Server called pki.win.domain.local. I am trying to configure the ADDS as a > subdomain of the IPA domain. I am using A and NS Records to delegate the > subdomain name. I am NOT attempting to create a interforest trust between > these two domains at this time (Although, as an aside, there will > eventually be another IPA server at pdc.lin.rxrhouse.net for subdomain > lin.domain.local, and THAT one will have an interforest trust with > win.rxrhouse.net; If IPA-IPA Trusts ever become a "thing", the top domain > will get trusts to both subdomains, but for now, pki.win.domain.local only > needs to 1) have a signed subordinate certificate from dc.domain.local, and > 2) run). As I have been able to get it, ADCS seems to be installed with a > signed cert, but it won't run. > > I installed ADCS as an Enterprise Subordinate CA; Based on > https://frasertweedale.github.io/blog-redhat/posts/2017-08-14-ad-cs.html, I > added win.domain.local as a host principal on IPA. I used that principal to > sign the CSR, which worked fine. I installed that certificate back to AD. > AD prompted for the Root Certificate, which I provided, and AD warned that > it couldn't verify the chain of trust because it couldn't contact a CRL. > Hi Tyrell,
The blog post you linked is about the opposite thing you said you are trying to do. That post is about installing FreeIPA CA as a subordinate of an AD-CS CA. But you are talking about the opposite thing - AD-CS as a subordinate of IPA. I'd suggest to share the certificate itself, so we can inspect them and try to identify the problem. And sharing the exact steps on the IPA side that you used to create the certificate profile, create the CSR, and issue the certificate. Thanks, Fraser > But now ADCS won't start... Every time I try to start it, it complains, > again, that it can't reach a CRL. > > In Windows Server Manager, in Certificate Authority manager (CertSrv), > right click on the CA tree, under Properties... I see that all of the CRL > Distribution Points (CDPs) and AIAs are their default, non-configured > forms... It's my crude guess that I need to be pointing those values to > IPA? The example is of the form > http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, > if that hint prompts anyone's thinking... > > Even if you have a suggestion of another forum to ask this on, I'm all > ears. Thank you for your assistance! > > -- > Tyrell Jentink > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
