Andrea Bontempi wrote:
Ok, this is funny:
-----------------------------------------------------------------------------------------------------
[root@dbm13 ca_rotta]# certutil -d sql:[nss db] -K
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and
Certificate Services"
Enter Password or Pin for "NSS Certificate DB":
< 0> rsa [hidden] ipa-ca-agent
-----------------------------------------------------------------------------------------------------
The sub-ca doesn't have the private key. This is ridiculous... FreeIPA gave me
the CSR...
When i try to validate "ipa-ca-agent" with certutil i get this error:
"Peer's certificate issuer is not recognized"
(obvious if the certificate issuer does not have the private key)
This is incorrect. To validate a certificate you only need the CA public
keys, not the private ones. Only having the ipa-ca-agent key is right.
This is a temporary database, not the CA database. We are using this
cert to request some information about itself from the CA in this case.
I think there is an issue with one of the CA certs but I've yet to
duplicate it or identify what is wrong. I'm still waiting on word back
from one of the NSS devs.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
