Hello, list,
Our FreeIPA is 4.9.8 and the domain is wingon.hk. Initially, we installed
external CA and certificates by following this link
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
And it works fine.
The certificate expired on Aug 03 22:16:17 2023. We want to replace the
certificate of HTTP only because Unlike Mod_NSSDB, it's easy to install by
placing two files PEM and Key.
And we plan to replace external certificate of dirsrv with self-signed one.
=== httpd ===
# certutil -d /etc/httpd/alias/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
WINGON.HK IPA CA CT,C,C
Go Daddy Secure Certificate Authority - G2 - GoDaddy.com, Inc. CT,C,C
Go Daddy Root Certificate Authority - G2 - The Go Daddy Group, Inc. CT,C,C
Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. CT,C,C
Server-Cert u,u,u
# certutil -d /etc/httpd/alias/ -n Server-Cert -L
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:5c:79:e8:d9:7d:6a:b4
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Go Daddy Secure Certificate Authority - G2,OU=http://cert
s.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=A
rizona,C=US"
Validity:
Not Before: Sat Jul 02 22:16:17 2022
Not After : Thu Aug 03 22:16:17 2023
Subject: "CN=*.wingon.hk"
====
So is Server-Cert of HTTP used ? It does not matter because we can still log in
on the web. Because we replace the cert and key already. Can we remove this one
?
====== dirsrv ===============
===============> /etc/dirsrv/slapd-WINGON-HK/
# certutil -d /etc/dirsrv/slapd-WINGON-HK/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CN=*.wingon.hk u,u,u
WINGON.HK IPA CA CT,C,C
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US C,,
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US C,,
NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority
- G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US C,,
# certutil -d /etc/dirsrv/slapd-WINGON-HK/ -L -n 'CN=*.wingon.hk'
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
08:5c:79:e8:d9:7d:6a:b4
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Go Daddy Secure Certificate Authority - G2,OU=http://cert
s.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=A
rizona,C=US"
Validity:
Not Before: Sat Jul 02 22:16:17 2022
Not After : Thu Aug 03 22:16:17 2023
Subject: "CN=*.wingon.hk"
=========
As you can see it's expired already. How can replace this with self-signed one ?
I used
certutil -d /etc/dirsrv/slapd-SAP-WINGON-HK/ -n Server-Cert -D
ipa-getcert request -d /etc/dirsrv/slapd-WINGON-HK/ -n ‘CN=*.wingon.hk' -K
ldap/`hostname` -N CN=`hostname`,O=WINGON.HK -g 2048 -p
/etc/dirsrv/slapd-WINGON-HK/pwdfile.txt
But it failed.
Thanks for your help.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
