I just wanted to say thank you to this list and especially to Rob Crittenden..

I could not log in to freeipa-users, there may be a problem in logging in with social network accounts. So I am sending this as an email..

Firstly My issue was freeIpa was refusing to install my comodo certificate with a signature algorithm complain.

I am writing how I solved this issue with a complete CLI

#recommended by Rob and significant milestone in solving my problem

update-crypto-policies --set DEFAULT:SHA1

#I received ca-bundle from my CA with my CRT file

sudo ipa-cacert-manage -t C,, install my-domain.ca-bundle

sudo ipa-certupdate

#pem file incudes all the certificate authority chain..

sudo ipa-server-certinstall --http --dirsrv mydomain.key mydomain.pem

I have only one question

Why didIı need to add this ca file to my freeIPA server? I mean it is already sgined with a public CA? web servers can easily see and do not throw any error when I install this certificate. but same is not true when I install this certificate in IDM or in anyting other than a web server.. so why do they not know my CA automaticaly?

is it because this is especially designed for HTTPS connections? Do I need to request something different or from another vendor, such as verisgn?

Thanks again..