-
Notifications
You must be signed in to change notification settings - Fork 0
On RHEL 6 IPA uses separate DS instances for IPA and PKI:
-
slapd-EXAMPLE-COM-
port:
389 -
namespace:
dc=example,dc=com
-
-
slapd-PKI-IPA-
port:
7389 -
namespace:
o=ipaca
-
On RHEL 7 IPA uses only one DS instance:
-
port:
389/636 -
namespaces:
-
dc=example,dc=com -
o=ipaca
-
Configure certificate mapping in /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf:
# search entire directory for (uid=<UID in subject DN>) certmap default default default:DNComps default:FilterComps uid # search entire directory for (seeAlso=<subject DN>) # then compare client certificate with userCertificate certmap example CN=Certificate Authority,O=EXAMPLE.COM example:CmapLdapAttr seeAlso example:verifycert on
List the DS certificates with this command:
$ certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C
Server-Cert u,u,u
Make sure the nicknames and trust attributes are as shown above.
Check each certificate with the following command:
$ certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM -n "<nickname>"
Verify that the following information is correct:
-
subject DN
-
issuer DN
-
validity dates
-
certificate usages
List the PKI certificates with this command:
$ certutil -L -d /var/lib/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Make sure the nicknames and trust attributes are as shown above.
Check each certificate with the following command:
$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "<nickname>"
Verify that the following information is correct:
-
subject DN
-
issuer DN
-
validity dates
-
certificate usages