Hello everybody,
I tried to change the WEB UI certificate with a custom certificate signed by our internal CA. The custom certificate was provided as a bundle (certificate + intermediates). The root ca which signs the intermediate was added in the truststore with ipa-cacert-manage. Everything was successful but when I accessed the Web UI I noticed that IPA provides only the certificate, not the full chain, which makes the certificate not trusted by the browsers (they are configured to trust only our internal root ca). Is there any method to configure IPA/Idm to provide the full certificate chain (certificate + intermediate) to the http clients or is there anything I configured wrong ?
I have added the full chain in /var/lib/ipa/certs but I do not know if that is the correct way.
iulian roman via FreeIPA-users wrote:
I have added the full chain in /var/lib/ipa/certs but I do not know if that is the correct way.
Putting the chain in a random place is not going to work.
Try setting SSLCertificateChainFile to /etc/ipa/ca.crt in your Apache config and restarting it. This directive is deprecated but it may still work.
The alternative would be to combine the chain with your server certificate file. This will break when renewal time comes.
rob
freeipa-users@lists.fedorahosted.org