Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1360813
Description of problem:
The tool ipa-server-certinstall can be used to install 3rd party certificates
for the IPA embedded httpd and ldap service.
The usage is outlined on this page (I already filed BZ #1360217 to get a proper
description into our IdM guide):
Here it says:
The certificate in mysite.crt must be signed by a CA known by the service you
are loading the certificate into. Or you must include the certificate chain
associated with the new certificate.
I recently encountered two issues when a PKCS#12 file is imported which has a
new CA certificate chain included, which is not already known to IPA:
1) The certificate from the PKCS#12 file are imported into the NSS DB of the
service for which the certificate is for (httpd and/or ldap) and the trust flag
is properly set for the new service certificate, but trust flags for the CA
certificates which are also part of the PKCS#12 file are not set at all. A
manual change using certutil was required.
2) While the CA certificates from the PKCS#12 file are imported into the NSS DB
of the http and/or ldap service, they are not imported into the tomcat-pki NSS
DB. As a result, tomcat fails to start when the ldap certificate has been
replaces and when it's signed by a CA which is not known to IPA. I would expect
that ipa-server-certinstall also updates this NSS DB. A manual import of the CA
certificates fixed the issue.
I found an old ticket which talks about the same issue and which has been
closed as FIXED, but I can still see the issues I outlined above in latest
RHEL-7.2 ipa package:
Version-Release number of selected component (if applicable):
Create a new CSR for IPA httpd and have it signed by a CA which is not known to
IPA. Create a PKCS#12 file with the new certificate/key and add the full CA
certificate chain to the PKCS#12 file. Then import the file using
Steps to Reproduce:
Metadata Update from @pvoborni:
- Issue assigned to frenaud
- Issue set to the milestone: FreeIPA 4.4.3
to comment on this ticket.