On Tue, Oct 15, 2019 at 7:27 AM Rob Crittenden <rcritten@redhat.com> wrote:

Kristian Petersen wrote:
> Rob,
>
> After investigating the certs as you had suggested, I do have the whole
> chain. The server cert has as its issuer:
> Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com
> <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance Server CA
>
> And the DigiCert.crt file has as its issuer and subject:
> Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com
> <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance Server CA
> Subject: C = US, O = DigiCert Inc, OU = www.digicert.com
> <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance Server CA
>
> Am I missing something here?

So you have the whole chain in one file? Try adding them individually,
starting at the root.

rob

>
> On Fri, Oct 11, 2019 at 12:50 PM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Kristian Petersen wrote:
> > New but related question: Iff I just want to add new LDAP and HTTPS
> > certs (not replacing the current ones) I know that can be done. I
> read
> > an article from Florence Blanc-Renaud that mentions it, but I ran into
> > some errors and I'm trying to troubleshoot them. When I ran
> > ipa-server-certinstall and gave it the key I generated and the crt
> file
> > I got from Digicert it said the entire chain was not present. So
> then I
> > tried including the DigiCertCA.crt file as well, however, I got
> the same
> > result.
> >
> > I next tried adding the DigiCert certificate to IPA
> > usingipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install
> > DigiCertCA.crt
> > This also failed giving an error that the cert was invalid because the
> > Peer's Certificate issuer was not recognized. Any thoughts about
> what I
> > might have missed?
>
> You don't have the full chain. It can be tricky to find the whole list
> even on CA's that make it relatively easy.
>
> What you want to do is use a tool like openssl x509 to display the
> subject and issuer:
>
> openssl x509 -text -noout -in /path/to/cert
>
> I'd start with the server cert you've been issued. Find a matching CA
> cert where the subject of the CA cert matches the issuer on the
> server cert.
>
> Then find another CA cert whose subject matches the issuer of the bottom
> of the chain, and work upwards until you find a CA cert where the issuer
> and subject match. Then you've found the root. That plus the other
> matching CA certs is your chain.
>
> I'll also note about the "add but not replace" the LDAP and Web certs.
> There can only be one active. You can certainly use different physical
> files and nicknames to store the new certs but only one set is active at
> a time.
>
> rob
>
> >
> >
> > On Fri, Oct 11, 2019 at 11:20 AM Rob Crittenden
> <rcritten@redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote:
> >
> > Kristian Petersen via FreeIPA-users wrote:
> > > That outlines the options, but not why I should or shouldn't use
> > any of
> > > them. That is more of what I am looking for.
> >
> > It's less benefit analysis and more forced by internal
> requirements.
> >
> > Often an organization already has a CA and wants any
> additional CA's to
> > be subordinates.
> >
> > The downsides of an external CA is some additional complexity.
> >
> > Installation can be more difficult (users often have issues
> getting
> > their external CA to properly sign the IPA CSR), dealing with
> a longer
> > certificate chain and being bound by the expiration date of the
> > external CA.
> >
> > rob
> >
> > >
> > > On Fri, Oct 11, 2019 at 9:47 AM François Cami
> <fcami@redhat.com <mailto:fcami@redhat.com>
> > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>
> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>
> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>>> wrote:
> > >
> > > Hi,
> > >
> > > On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen via
> > FreeIPA-users
> > > <freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>> wrote:
> > > >
> > > > Hey y'all,
> > > >
> > > > What are the pros and cons of using and external or
> internal CA
> > > for FreeIPA/IdM? I am trying to decide which to do but
> having
> > > trouble finding a lot of info about why I would want to
> do one or
> > > the other.
> > >
> > > The choices are documented there:
> > >
> >
>    https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server
> > >
> > > François
> > >
> > > > Thanks in advance!
> > > >
> > > > --
> > > > Kristian Petersen
> > > > System Administrator
> > > > BYU Dept. of Chemistry and Biochemistry
> > > > _______________________________________________
> > > > FreeIPA-users mailing list --
> > freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > To unsubscribe send an email to
> > > freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > > Fedora Code of Conduct:
> > >
>   https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
> >
>    https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > >
> > >
> > >
> > > --
> > > Kristian Petersen
> > > System Administrator
> > > BYU Dept. of Chemistry and Biochemistry
> > >
> > >
> > > _______________________________________________
> > > FreeIPA-users mailing list --
> freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > To unsubscribe send an email to
> > freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> >
>   https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > >
> >
> >
> >
> > --
> > Kristian Petersen
> > System Administrator
> > BYU Dept. of Chemistry and Biochemistry
>
>
>
> --
> Kristian Petersen
> System Administrator
> BYU Dept. of Chemistry and Biochemistry