#2158 ipa-getcert NSSDB Should Include IPA CA
Closed: fixed 3 years ago by rcritten. Opened 12 years ago by jcape.

It's kind of a pain to use ipa-getcert with mod_nss because it isn't automatically adding the IPA CA certificate as a trusted CA, which means you can't use NSSEnforceValidCerts.

ipa-getcert should at least offer an option to install the IPA CA cert as a trusted CA when manipulating nssdbs.


Assuming the host is enrolling you can do:

certutil -A -n 'IPA CA' -d /etc/httpd/alias -t CT,C,C -a -i /etc/ipa/ca.crt

ipa-getcert ...

Opened an RFE against certmonger, https://bugzilla.redhat.com/show_bug.cgi?id=759545

Shouldn't this me a part of the ipa-client installation to execute the command above after fetching IPA cert during the installation?

ipa-client-install adds it to /etc/pki/nssdb

In this case he is requesting a new certificate for a different service, HTTP, which uses a separate NSS database.

Changing 3.2 priority

Metadata Update from @jcape:
- Issue assigned to rcritten
- Issue set to the milestone: Future Releases

7 years ago

This was fixed in certmonger. Add -a <dbdir> to install the IPA chain into the database.

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata