#4466 PKI instructions should specify blank database password.
Closed: Fixed None Opened 5 years ago by bnordgren.

Instructions to request a certificate from FreeIPA will only work if the user creates a cert database with a blank password. This should be stressed.

Instructions in question are here: http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger

The third step, "certutil -N -d ." should have some annotation that the user will be prompted for a password and it must be left blank.

If the user puts in a password, step 6 ("ipa-getcert request ...") will fail to create a certificate. The status of the request (via ipa-getcert list) will be listed as "stuck".

I can fix this given I wrote this HOWTO.

I updated the HOWTO and:

  1. Changed the directory to /etc/httpd/nssdb to avoid clashes with FreeIPA + practice setting the right SELinux context.
  2. Structured the steps better + added info about how to use encrypted databases (it IS possible, it just need to be properly configured).

Metadata Update from @bnordgren:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 4.0.2

3 years ago

Login to comment on this ticket.