Good morning, > if you run "ipa-cacert-manage install -t CT,C,C /path/to/newrootca.pem", > the new root CA will be loaded in the LDAP server with the right trust > flags. Then "ipa-certupdate" will download it from the LDAP server and put > it into all the relevant NSS databases / files with the right trust flags.
I tried to run ipa-cacert-manage install -t CT,C,C /path/to/newrootca.pem but I got: Not a valid CA certificate: (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user. I don't have any pem file. I use the crt is it ok? > There is no real need to remove the old CA certs, even if they expired. But > if you really want to clean up things, you need to remove them from the > LDAP server. They are located in cn=certificates,cn=ipa,cn=etc,$BASEDN and > you will need to find the right LDAP entry/entries and delete them with > ldapdelete. The certificates that I'm trying to remove are not old one but new ones that I didn't create correctly. One was from march 4th and is not overlapping the old one One was from march 1st but with wrong extensions I tried to use ldapsearch but I need more time to fully understand how it work since it's the first time I'm using it. > Which "old certificate" are you referring to? Are you accessing IPA at > https://<hostname>/ipa/ui or accessing a service deployed on your client > and protected by the client certificate? I'm accessing a service on my client. I was able to renew is certificates but he's still showing me the old certificates chain in firefox and chrome. At least the LDAP is working since we can now connect users to the service. See getcert list output on my client below: > # getcert list > Number of certificates and requests being tracked: 1. > Request ID '20211130131728': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/nssdb/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=client.qc.lrtech.ca,O=QC.LRTECH.CA > expires: 2024-03-16 13:17:47 UTC > dns: client.qc.lrtech.ca > principal name: HTTP/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes See # certutil -L -d /etc/httpd/nssdb/ output below (Bad root and ipa certificates, but good server-cert): Should I add my new root and ipa certificate manually? > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > LR Tech ROOT CA CT,C,C > QC.LRTECH.CA IPA CA CT,C,C > Server-Cert u,u,u See # certutil -L -d /etc/httpd/alias/ output below (Old server-cert from 2021 and example certificates): > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > cacert CTu,Cu,Cu > beta u,pu,u > alpha u,pu,u > Server-Cert u,u,u See # certutil -L -d /etc/ipa/nssdb/ output below (2 New and 2 old certificates everything is ok but done manually): > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > [email protected],CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=QC,C=CA CT,C,C > QC.LRTECH.CA IPA CA CT,C,C > QC.LRTECH.CA IPA CA CT,C,C > [email protected],CN=LR Tech inc. ROOT CA 2022,OU=Intranet,O=LR Tech > inc.,L=Levis,ST=QC,C=CA CT,C,C /etc/pki/nssdb is empty No /etc/dirsrv/SLAPD-XX/ Eric _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
