#6263 ipa-server-certinstall does not update all certificate stores and doesn't set proper trust permissions
Closed: Fixed None Opened 7 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1360813

Description of problem:

The tool ipa-server-certinstall can be used to install 3rd party certificates
for the IPA embedded httpd and ldap service.

The usage is outlined on this page (I already filed BZ #1360217 to get a proper
description into our IdM guide):


Here it says:

The certificate in mysite.crt must be signed by a CA known by the service you
are loading the certificate into. Or you must include the certificate chain
associated with the new certificate.

I recently encountered two issues when a PKCS#12 file is imported which has a
new CA certificate chain included, which is not already known to IPA:

1) The certificate from the PKCS#12 file are imported into the NSS DB of the
service for which the certificate is for (httpd and/or ldap) and the trust flag
is properly set for the new service certificate, but trust flags for the CA
certificates which are also part of the PKCS#12 file are not set at all. A
manual change using certutil was required.

2) While the CA certificates from the PKCS#12 file are imported into the NSS DB
of the http and/or ldap service, they are not imported into the tomcat-pki NSS
DB. As a result, tomcat fails to start when the ldap certificate has been
replaces and when it's signed by a CA which is not known to IPA. I would expect
that ipa-server-certinstall also updates this NSS DB. A manual import of the CA
certificates fixed the issue.

I found an old ticket which talks about the same issue and which has been
closed as FIXED, but I can still see the issues I outlined above in latest
RHEL-7.2 ipa package:


Version-Release number of selected component (if applicable):

How reproducible:
Create a new CSR for IPA httpd and have it signed by a CA which is not known to
IPA. Create a PKCS#12 file with the new certificate/key and add the full CA
certificate chain to the PKCS#12 file. Then import the file using

Steps to Reproduce:

Actual results:

Expected results:

Additional info:


  • 0c4a913 Add cert checks in ipa-server-certinstall


  • f32e683 Add cert checks in ipa-server-certinstall

Metadata Update from @pvoborni:
- Issue assigned to frenaud
- Issue set to the milestone: FreeIPA 4.4.3

6 years ago

Login to comment on this ticket.