On 5/29/19 3:36 PM, Sumit Bose via FreeIPA-users wrote:
On Wed, May 29, 2019 at 01:19:19PM -0000, Khurrum Maqb via
FreeIPA-users wrote:
> They are indeed all self signed:
>
> #openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout
> issuer= /O=DOMAIN.COM/CN=server1.dom.ain
> subject= /O=DOMAIN.COM/CN=server1.dom.ain
>
> #openssl x509 -in /var/kerberos/krb5kdc/kdc.crt -issuer -subject -noout
> issuer= /O=DOMAIN.COM/CN=server2.dom.ain
> subject= /O=DOMAIN.COM/CN=server2.dom.ain
Florence, do you know from the top of your head the steps to recreate
proper KDC certificates signed by the IPA CA?
Hi,
running "ipa-pkinit-manage enable" should re-create the KDC cert.
Note that there was an issue with this command (see #7200
ipa-pkinit-manage reports a switch from local pkinit to full pkinit
configuration was successful although it was not [1]). IIRC the
workaround is to delete the cert before calling ipa-pkinit-manage enable.
HTH,
flo
[1]
https://pagure.io/freeipa/issue/7200
bye,
Sumit
>
> and so on..
>
> So if I understand correctly, these all should have been signed by the IPA CA?
>
> And re: OCSP - I'll go ahead and check how I can either change the location, or
setup a CNAME to point the existing address in the cert to a working ocsp responder.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...