Kristian Petersen via FreeIPA-users wrote:
> They aren't in one file. But the server cert's issuer is the subject of
> the DigiCert.crt file. I have already tried adding just the
> Digicert.crt file only to have it tell me it's Peer's Certificate isn't
> trusted. I don't even know what certificate that is talking about.
Can you share the files?
rob
>
> On Tue, Oct 15, 2019 at 7:27 AM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Kristian Petersen wrote:
> > Rob,
> >
> > After investigating the certs as you had suggested, I do have the
> whole
> > chain. The server cert has as its issuer:
> > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com
> <http://www.digicert.com>
> > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance Server CA
> >
> > And the DigiCert.crt file has as its issuer and subject:
> > Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com
> <http://www.digicert.com>
> > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance Server CA
> > Subject: C = US, O = DigiCert Inc, OU = www.digicert.com
> <http://www.digicert.com>
> > <http://www.digicert.com>, CN = DigiCert SHA2 High Assurance Server CA
> >
> > Am I missing something here?
>
> So you have the whole chain in one file? Try adding them individually,
> starting at the root.
>
> rob
>
> >
> > On Fri, Oct 11, 2019 at 12:50 PM Rob Crittenden
> <rcritten@redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote:
> >
> > Kristian Petersen wrote:
> > > New but related question: Iff I just want to add new LDAP
> and HTTPS
> > > certs (not replacing the current ones) I know that can be
> done. I
> > read
> > > an article from Florence Blanc-Renaud that mentions it, but
> I ran into
> > > some errors and I'm trying to troubleshoot them. When I ran
> > > ipa-server-certinstall and gave it the key I generated and
> the crt
> > file
> > > I got from Digicert it said the entire chain was not
> present. So
> > then I
> > > tried including the DigiCertCA.crt file as well, however, I got
> > the same
> > > result.
> > >
> > > I next tried adding the DigiCert certificate to IPA
> > > usingipa-cacert-manage -p DM_PASSWORD -n NICKNAME -t C,, install
> > > DigiCertCA.crt
> > > This also failed giving an error that the cert was invalid
> because the
> > > Peer's Certificate issuer was not recognized. Any thoughts
> about
> > what I
> > > might have missed?
> >
> > You don't have the full chain. It can be tricky to find the
> whole list
> > even on CA's that make it relatively easy.
> >
> > What you want to do is use a tool like openssl x509 to display the
> > subject and issuer:
> >
> > openssl x509 -text -noout -in /path/to/cert
> >
> > I'd start with the server cert you've been issued. Find a
> matching CA
> > cert where the subject of the CA cert matches the issuer on the
> > server cert.
> >
> > Then find another CA cert whose subject matches the issuer of
> the bottom
> > of the chain, and work upwards until you find a CA cert where
> the issuer
> > and subject match. Then you've found the root. That plus the other
> > matching CA certs is your chain.
> >
> > I'll also note about the "add but not replace" the LDAP and
> Web certs.
> > There can only be one active. You can certainly use different
> physical
> > files and nicknames to store the new certs but only one set is
> active at
> > a time.
> >
> > rob
> >
> > >
> > >
> > > On Fri, Oct 11, 2019 at 11:20 AM Rob Crittenden
> > <rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote:
> > >
> > > Kristian Petersen via FreeIPA-users wrote:
> > > > That outlines the options, but not why I should or
> shouldn't use
> > > any of
> > > > them. That is more of what I am looking for.
> > >
> > > It's less benefit analysis and more forced by internal
> > requirements.
> > >
> > > Often an organization already has a CA and wants any
> > additional CA's to
> > > be subordinates.
> > >
> > > The downsides of an external CA is some additional
> complexity.
> > >
> > > Installation can be more difficult (users often have issues
> > getting
> > > their external CA to properly sign the IPA CSR), dealing
> with
> > a longer
> > > certificate chain and being bound by the expiration date
> of the
> > > external CA.
> > >
> > > rob
> > >
> > > >
> > > > On Fri, Oct 11, 2019 at 9:47 AM François Cami
> > <fcami@redhat.com <mailto:fcami@redhat.com>
> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>
> > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>
> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>>
> > > > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>
> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>
> > <mailto:fcami@redhat.com <mailto:fcami@redhat.com>
> <mailto:fcami@redhat.com <mailto:fcami@redhat.com>>>>> wrote:
> > > >
> > > > Hi,
> > > >
> > > > On Fri, Oct 11, 2019 at 5:34 PM Kristian Petersen via
> > > FreeIPA-users
> > > > <freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>> wrote:
> > > > >
> > > > > Hey y'all,
> > > > >
> > > > > What are the pros and cons of using and external or
> > internal CA
> > > > for FreeIPA/IdM? I am trying to decide which to
> do but
> > having
> > > > trouble finding a lot of info about why I would
> want to
> > do one or
> > > > the other.
> > > >
> > > > The choices are documented there:
> > > >
> > >
> >
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server
> > > >
> > > > François
> > > >
> > > > > Thanks in advance!
> > > > >
> > > > > --
> > > > > Kristian Petersen
> > > > > System Administrator
> > > > > BYU Dept. of Chemistry and Biochemistry
> > > > > _______________________________________________
> > > > > FreeIPA-users mailing list --
> > > freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>>
> > > > > To unsubscribe send an email to
> > > > freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>>
> > > > > Fedora Code of Conduct:
> > > >
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > List Guidelines:
> > > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives:
> > > >
> > >
> >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > > >
> > > >
> > > >
> > > > --
> > > > Kristian Petersen
> > > > System Administrator
> > > > BYU Dept. of Chemistry and Biochemistry
> > > >
> > > >
> > > > _______________________________________________
> > > > FreeIPA-users mailing list --
> > freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>
> > > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > <mailto:freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>>>
> > > > To unsubscribe send an email to
> > > freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > <mailto:freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>>>
> > > > Fedora Code of Conduct:
> > >
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
> > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
> >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > > >
> > >
> > >
> > >
> > > --
> > > Kristian Petersen
> > > System Administrator
> > > BYU Dept. of Chemistry and Biochemistry
> >
> >
> >
> > --
> > Kristian Petersen
> > System Administrator
> > BYU Dept. of Chemistry and Biochemistry
>
>
>
> --
> Kristian Petersen
> System Administrator
> BYU Dept. of Chemistry and Biochemistry
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>