#6454 Don't install intermediate cert as trust anchor
Opened 3 years ago by cheimes. Modified 2 years ago

FreeIPA can be installed with an external root CA and a local intermediate CA in Dogtag PKI. ipa-client-install installs both the root CA's certificate and IPA CA's intermediate cert as trust anchors. It is not necessary to install an intermediate cert as trust anchor. This causes some issues, e.g. Firefox does no longer show the root CA in cert viewer and terminates cert verification at the intermediate cert.

The intermediate cert is installed in

  • /etc/pki/ca-trust/source/ipa.p11-kit
  • /etc/ipa/ca.crt
  • /etc/ipa/nssdb

Metadata Update from @cheimes:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

2 years ago

Login to comment on this ticket.