On 12/13/2017 04:39 PM, Harald Dunkel via FreeIPA-users wrote:
Hi Flo,
On 12/12/17 3:59 PM, Harald Dunkel via FreeIPA-users wrote:
>
> My concern is, it looks much more restricted than the old root CA
> cerificate:
>
> # certutil -L -d /var/lib/pki/pki-tomcat/ca/alias
>
> Certificate Nickname Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> Server-Cert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
> caSigningCert cert-pki-ca CTu,Cu,Cu
> auditSigningCert cert-pki-ca u,u,Pu
> ocspSigningCert cert-pki-ca u,u,u
> CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE
> CT,C,C
> CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE C,,
>
> Shouldn't it be "CT,C,C" as well?
>
:
:
Hi,
the flags here will be the same as the ones used with the command
ipa-cacert-manage install -t <flags>. If I recall correctly, in most
cases you need only C,, but if your deployment requires more flags (for
instance the external CA is used to sign Smart Card certificates), you
can tune this by providing the required flags in ipa-cacert-manage install.
>
> ipa-cert-update said
>
> # ipa-certupdate
> trying
https://ipa1.example.de/ipa/json
> [try 1]: Forwarding 'schema' to json server
> 'https://ipa1.example.de/ipa/json'
> trying
https://ipa1.example.de/ipa/json
> [try 1]: Forwarding 'ca_is_enabled' to json server
> 'https://ipa1.example.de/ipa/json'
> [try 1]: Forwarding 'ca_find/1' to json server
> 'https://ipa1.example.de/ipa/json'
> Systemwide CA database updated.
> Systemwide CA database updated.
> The ipa-certupdate command was successful
>
> dmesg shows that there was a core dump:
>
> [108604.869633] ns-slapd[23051]: segfault at 10 ip 00007fb60841dc30 sp
> 00007fb60af56c88 error 4 in libpthread-2.17.so[7fb608414000+17000]
>
> Problem: The certificate in /etc/ipa/ca.crt and /usr/share/ipa/html/\
> ca.crt is still old. The files have been touched, but not replaced
> by the new certificate.
>
AFAICT this is not as documented. Would you suggest to file a bug
report?
The files should contain multiple certificates (IPA CA and the external
CA certificates). If it is not the case, please check first if there
were AVC issues (if running in SElinux enforcing mode), and feel free to
file a bug.
Flo
Regards
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org