Add a commercially signed SSL certificate to FreeIPA after installation

on June 6th, 2017 by Hades | No Comments »

FreeIPA is touted as a platform for centralized authentication/identity management, and it fills this role very well. One thing that it does not do well allows you to add a commercially signed certificate after the FreeIPA installation is complete. You have to either start with a commercially signed cert, or live with the self-signed cert forever. No switching sides!

Convert crt file in PEM format

Create pem file from original certificate

openssl x509 -inform PEM -in ./ > /root/
openssl x509 -inform PEM -in ./intermediate.GlobalSign.crt > /root/intermediate.GlobalSign.crt.pem

Concatenate PEM certificate in single file, Root crt and Chain crt

cat /root/ /root/intermediate.GlobalSign.crt.pem > /root/

Export PEM cert and private key in PKCS12 format

openssl pkcs12 -export -in -inkey ./ -out /root/ -name Example-GlobalSign

Import PKCS12 (.p12) certificate in NSS DB

pk12util -i /root/ -d /etc/httpd/alias

The password for NSS DB you can found here: /etc/httpd/alias/pwdfile.txt

You can verify your certificate using following command

certutil -L -d /etc/httpd/alias -n Example-GlobalSign

put Example-GlobalSign nickname in nss.conf config file

NSSNickname Example-GlobalSign

Restart HTTPD

service httpd restart


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.