Hi,
On Thu, Oct 12, 2023 at 9:58 AM Frederic Ayrault via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Bonjour,
Le 12/10/2023 à 09:42, Florence Blanc-Renaud a écrit :
Hi,
So far it doesn't look like there was an IPA embedded CA signed by the external intermediate CA. Can you check the HTTP and LDAP server certificates with certutil? I would like to check who issued them. Since it's IPA 4.6.8, the HTTP cert is stored in /etc/httpd/alias. Find its nickname with # certutil -L -d /etc/httpd/alias/ | grep "u,u,u" *Server-Cert* u,u,u
IPA3 u,u,u
Then get the subject and issue from the certificate: # certutil -L -d /etc/httpd/alias/ -n *Server-Cert* | egrep "Issuer:|Subject:"
Issuer: "CN=CNRS2-Standard,O=CNRS,C=FR" Subject: "
E=sysres@lix.polytechnique.fr,CN=ipa3.lix.polytechnique.fr, Issuer:
For the LDAP server, same steps but at a different location: # certutil -L -d /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ | grep "u,u,u" *Server-Cert* u,u,u
# certutil -L -d /etc/dirsrv/slapd-LIX-POLYTECHNIQUE-FR/ -n *Server-Cert* | egrep "Subject:|Issuer:"
Issuer: "CN=CNRS2-Standard,O=CNRS,C=FR" Subject: "
E=sysres@lix.polytechnique.fr,CN=ipa3.lix.polytechnique.fr, Issuer:
If the issuer is an external CA, it's likely that your IPA deployment was installed CA-less.
Sorry I did misunderstood external CA. Now if I am right, I am using an external CA to get certs but this CA is not installed on the server
How can I install an internal CA in a CA-less server ?
The output of ipa config-show would also show if there was a server installed with a CA.
Sorry it is in french
No problem :)
Longueur maximale du nom d'utilisateur: 32 Base du répertoire utilisateur: /users Interpréteur de commande par défaut: /bin/bash Groupe utilisateur par défaut: ipausers Domaine par défaut pour les courriels: lix.polytechnique.fr Limite de temps d'une recherche: 2 Limite de taille d'une recherche: 1000 Champs de recherche utilisateur: uid,givenname,sn,telephonenumber,ou,title Champs de recherche de groupe: cn,description Activer le mode migration: TRUE Base de sujet de certificat: O=LIX.POLYTECHNIQUE.FR Notification d'expiration de mot de passe (jours): 4 Fonctionnalités du greffon mots de passe: AllowNThash Ordre de la mappe des utilisateurs SELinux: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Utilisateur SELinux par défaut: unconfined_u:s0-s0:c0.c1023 Types de PAC par défaut: MS-PAC, nfs:NONE Maîtres IPA: ipa3.lix.polytechnique.fr Serveurs NTP IPA: ipa3.lix.polytechnique.fr Maître de renouvellement d'AC IPA: ipa3.lix.polytechnique.fr
If I recap everything so far:
- there is a single server, ipa3.lix.polytechnique.fr - it was installed CA-less, with http and ldap certificates issued by an external CA (C=FR, O=CNRS, CN=CNRS2-Standard), which is an intermediate CA, signed by the root CA (C=FR, O=CNRS, CN=CNRS2)
Your goal is to "replace our external CA to an Internal one", do you mean that you want IPA to act as a certificate authority, or use a different CA authority instead of C=FR, O=CNRS, CN=CNRS2-Standard ?
flo
flo
Thank you
Regards,
Frederic
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue