I was told the GoDaddy certs were just imported using certutil -a but in
looking at the certs the original certs were actually replaced. This is only in
/etc/dirsrv/slapd-REALM-COM:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
GD_CA CT,C,CNWF_GD
u,u,u
The certs in /etc/dirsrv/slapd-PKI-CA are still the originals:
[root@ipa2-corp ~]# certutil -L -d /etc/dirsrv/slapd-PKI-IPA/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
IPADOMAIN.COM IPA CA CT,C,Server-Cert
u,u,u
I am not even sure how this even works or if it can be fixed? Should/Can we go
back to using the original dogtag certs?
From: [email protected]
[mailto:[email protected]] On Behalf Of Dmitri Pal
Sent: Wednesday, March 04, 2015 2:57 PM
To: [email protected]
Subject: Re: [Freeipa-users] Need to replace cert for ipa servers On
03/04/2015 04:32 PM, sipazzo wrote:
Good afternoon, we have a freeipa 3.0.42 installation running on redhead 6.6
with a mix of rhel 5, rhel6 and Solaris clients. It was originally configured
with the built in dogtag certificate CA and then one of my co-workers added our
GoDaddy certificate to the certificate bundle. My understanding is this cert is
used for communication between the ipa servers as well as the clients are also
configured to trust the GoDaddy certificate. We recently had to get a new
GoDaddy cert so our old one is revoked. I need to figure out how to either
replace the existing revoked cert with the new one or add the new one to the
bundle and then remove the revoked certificate so as not to break anything.
Any help is appreciated. I am not strong with certificates so the more detail
you can give the better.Thank you.
You say it was running with the self signed IPA CA and than GoDaddy cert was
added to the bundle. How was it added?
IPA does not use certs for communication between the instances. It uses
Kerberos. I am not sure the DoDaddy cert you added is even used in some way by
IPA.
It seems that your GoDaddy cert is an orthogonal trust so if you replaced the
main key pair then you just need to distribute your new GoDaddy cert to the
clients as you did on the first place.
-- Thank you,Dmitri Pal Sr. Engineering Manager IdM portfolioRed Hat, Inc.
#yiv5565645412 #yiv5565645412 -- filtered {panose-1:0 0 0 0 0 0 0 0 0
0;}#yiv5565645412 filtered {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2
4;}#yiv5565645412 filtered {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2
4;}#yiv5565645412 filtered {font-family:Consolas;panose-1:0 0 0 0 0 0 0 0 0
0;}#yiv5565645412 filtered {panose-1:2 5 6 4 5 5 5 2 2 4;}#yiv5565645412
p.yiv5565645412MsoNormal, #yiv5565645412 li.yiv5565645412MsoNormal,
#yiv5565645412 div.yiv5565645412MsoNormal
{margin:0in;margin-bottom:.0001pt;font-size:12.0pt;color:black;}#yiv5565645412
a:link, #yiv5565645412 span.yiv5565645412MsoHyperlink
{color:blue;text-decoration:underline;}#yiv5565645412 a:visited, #yiv5565645412
span.yiv5565645412MsoHyperlinkFollowed
{color:purple;text-decoration:underline;}#yiv5565645412 pre
{margin:0in;margin-bottom:.0001pt;font-size:10.0pt;color:black;}#yiv5565645412
span.yiv5565645412HTMLPreformattedChar {color:black;}#yiv5565645412
span.yiv5565645412EmailStyle19 {color:#1F497D;}#yiv5565645412
.yiv5565645412MsoChpDefault {font-size:10.0pt;}#yiv5565645412 filtered
{margin:1.0in 1.0in 1.0in 1.0in;}#yiv5565645412 div.yiv5565645412WordSection1
{}#yiv5565645412--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
