Overview

On RHEL 6 IPA uses separate DS instances for IPA and PKI:

slapd-EXAMPLE-COM
- port: 389
- namespace: dc=example,dc=com
slapd-PKI-IPA
- port: 7389
- namespace: o=ipaca

On RHEL 7 IPA uses only one DS instance:

port: 389/636
namespaces:
- dc=example,dc=com
- o=ipaca

DS Installation

Configure certificate mapping in /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf:

# search entire directory for (uid=<UID in subject DN>)
certmap default         default
default:DNComps
default:FilterComps     uid

# search entire directory for (seeAlso=<subject DN>)
# then compare client certificate with userCertificate
certmap example         CN=Certificate Authority,O=EXAMPLE.COM
example:CmapLdapAttr    seeAlso
example:verifycert      on

Verifying DS Certificates

List the DS certificates with this command:

$ certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

EXAMPLE.COM IPA CA                                           CT,C,C
Server-Cert                                                  u,u,u

Make sure the nicknames and trust attributes are as shown above.

Check each certificate with the following command:

$ certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM -n "<nickname>"

Verify that the following information is correct:

subject DN
issuer DN
validity dates
certificate usages

Verifying PKI Certificates

List the PKI certificates with this command:

$ certutil -L -d /var/lib/pki/pki-tomcat/alias

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u

Make sure the nicknames and trust attributes are as shown above.

Check each certificate with the following command:

$ certutil -L -d /var/lib/pki/pki-tomcat/alias -n "<nickname>"

Verify that the following information is correct:

subject DN
issuer DN
validity dates
certificate usages

DS - dogtagpki/freeipa GitHub Wiki

Overview

DS Installation

Verifying DS Certificates

Verifying PKI Certificates

Accessing DS

See Also

⚠️ GitHub.com Fallback ⚠️

DS - dogtagpki/freeipa GitHub Wiki

Overview

DS Installation

Verifying DS Certificates

Verifying PKI Certificates

Accessing DS

See Also

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️