mskaraca--- via FreeIPA-users wrote:

Hi

I just wanted to say thank you to this list and especially to Rob Crittenden..

I could not log in to freeipa-users, there may be a problem in logging in with social network accounts. So I am sending this as an email..

Firstly My issue was freeIpa was refusing to install my comodo certificate with a signature algorithm complain.

I am writing how I solved this issue with a complete CLI

#recommended by Rob and significant milestone in solving my problem update-crypto-policies --set DEFAULT:SHA1 #I received ca-bundle from my CA with my CRT file  sudo ipa-cacert-manage  -t C,, install my-domain.ca-bundle   sudo ipa-certupdate  #pem file incudes all the certificate authority chain..  sudo ipa-server-certinstall --http --dirsrv mydomain.key mydomain.pem

I have only one question Why didIı need to add this ca file to my freeIPA server? I mean it is already sgined with a public CA? web servers can easily see and do not throw any error when I install this certificate. but same is not true when I install this certificate in IDM or in anyting other than a web server.. so why do they not know my CA automaticaly?

is it because this is especially designed for HTTPS connections? Do I need to request something different or from another vendor, such as verisgn?

Not every public CA chain is present on all machines.

The chain is installed on the server using ipa-cacert-manage so it can be distributed to clients with ipa-certupdate.

Your certificate is probably fine, though SHA-1 is deprecated. For more details see https://en.wikipedia.org/wiki/SHA-1

rob