Hi, On Thu, Oct 12, 2023 at 9:58 AM Frederic Ayrault via FreeIPA-users < [email protected]> wrote:
> Bonjour, > > Le 12/10/2023 à 09:42, Florence Blanc-Renaud a écrit : > > Hi, > > > So far it doesn't look like there was an IPA embedded CA signed by the > external intermediate CA. Can you check the HTTP and LDAP server > certificates with certutil? I would like to check who issued them. > Since it's IPA 4.6.8, the HTTP cert is stored in /etc/httpd/alias. Find > its nickname with > # certutil -L -d /etc/httpd/alias/ | grep "u,u,u" > *Server-Cert* u,u,u > > > IPA3 u,u,u > > > Then get the subject and issue from the certificate: > # certutil -L -d /etc/httpd/alias/ -n *Server-Cert* | egrep > "Issuer:|Subject:" > > > Issuer: "CN=CNRS2-Standard,O=CNRS,C=FR" > Subject: " > [email protected],CN=ipa3.lix.polytechnique.fr, > Issuer: > > > For the LDAP server, same steps but at a different location: > # certutil -L -d /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ | grep "u,u,u" > *Server-Cert* u,u,u > > # certutil -L -d /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ -n *Server-Cert* > | egrep "Subject:|Issuer:" > > > Issuer: "CN=CNRS2-Standard,O=CNRS,C=FR" > Subject: " > [email protected],CN=ipa3.lix.polytechnique.fr, > Issuer: > > > If the issuer is an external CA, it's likely that your IPA deployment was > installed CA-less. > > > Sorry I did misunderstood external CA. > Now if I am right, I am using an external CA to get certs but this CA is > not installed on the server > > How can I install an internal CA in a CA-less server ? > > > The output of ipa config-show would also show if there was a server > installed with a CA. > > > Sorry it is in french > No problem :) > > Longueur maximale du nom d'utilisateur: 32 > Base du répertoire utilisateur: /users > Interpréteur de commande par défaut: /bin/bash > Groupe utilisateur par défaut: ipausers > Domaine par défaut pour les courriels: lix.polytechnique.fr > Limite de temps d'une recherche: 2 > Limite de taille d'une recherche: 1000 > Champs de recherche utilisateur: > uid,givenname,sn,telephonenumber,ou,title > Champs de recherche de groupe: cn,description > Activer le mode migration: TRUE > Base de sujet de certificat: O=LIX.POLYTECHNIQUE.FR > Notification d'expiration de mot de passe (jours): 4 > Fonctionnalités du greffon mots de passe: AllowNThash > Ordre de la mappe des utilisateurs SELinux: > guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 > Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023 > Types de PAC par défaut: MS-PAC, nfs:NONE > Maîtres IPA: ipa3.lix.polytechnique.fr > Serveurs NTP IPA: ipa3.lix.polytechnique.fr > Maître de renouvellement d'AC IPA: ipa3.lix.polytechnique.fr > > > If I recap everything so far: - there is a single server, ipa3.lix.polytechnique.fr - it was installed CA-less, with http and ldap certificates issued by an external CA (C=FR, O=CNRS, CN=CNRS2-Standard), which is an intermediate CA, signed by the root CA (C=FR, O=CNRS, CN=CNRS2) Your goal is to "replace our external CA to an Internal one", do you mean that you want IPA to act as a certificate authority, or use a different CA authority instead of C=FR, O=CNRS, CN=CNRS2-Standard ? flo > flo > > > > Thank you > > Regards, > > Frederic > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
