Hi All,
We are trying to install externally signed certificate for WebUI / HTTPS service on our RHEL IdM servers (primary and replica both).
As the first step, we are trying to install the CA certificate chain of the issuer of the 3rd party certificate to IPA using "ipa-cacert-manage install”
Step:1 ipa-cacert-manage install idm-app-pilot-file.pem
We have put the certificate issued by intermediate CA for the CSR generated at "/var/lib/ipa/ca.csr" from "ipa-cacert-manage renew --external-ca". command excepts the certificate as expected.
Step2: ipa-certupdate
We ran this command on both primary & replica and also the clients registered to the
Step3: ipa-cacert-manage renew --external-cert-file=idm-app-pilot-file.pem --external-cert-file=ca_chain_cert.pem
In this step, we are running the "ipa-cacert-manage renew" command with renewed CA certificate and the external CA certificate chain. "ca_chain_cert.pem" has intermediate and root cert of the signing CA.
Step3 command fails:
[root@ldmserver01 certs]# ipa-cacert-manage renew --external-cert-file=idm-app-pilot-file.pem --external-cert-file=ca_chain_cert.pem
Importing the renewed CA certificate, please wait
CA certificate CN=ABC Root CA,ST=California,OU=ABC_CA_Authority,O=ABCInc,L=PaloAlto,C=US in idm-app-pilot-file.pem, ca_chain_cert.pem is not valid: not a CA certificate
The ipa-cacert-manage command failed.
We have validated our certs using openssl verify -trusted as pasted below:
[root@ldmserver01 certs]# openssl verify -trusted ca_chain_cert.pem idm-app-pilot-file.pem
idm-app-pilot-file.pem: OK
Could someone please help us with what step we are doing it wrong.
What should be the content expected by IdM server for ca_chain_cert.pem in terms of the order of root and intermediate section. We have even tried with ca_cert chain appending to idm-app-pilot-file.pem, but no luck.
Thanks in advance.
Regards,
Saurabh Garg