Add a commercially signed SSL certificate to FreeIPA after installation

on June 6th, 2017 by Hades | No Comments »

FreeIPA is touted as a platform for centralized authentication/identity management, and it fills this role very well. One thing that it does not do well allows you to add a commercially signed certificate after the FreeIPA installation is complete. You have to either start with a commercially signed cert, or live with the self-signed cert forever. No switching sides!

Convert crt file in PEM format

Create pem file from original certificate

openssl x509 -inform PEM -in ./example.com.crt > /root/example.com.pem
openssl x509 -inform PEM -in ./intermediate.GlobalSign.crt > /root/intermediate.GlobalSign.crt.pem

Concatenate PEM certificate in single file, Root crt and Chain crt

cat /root/example.com.pem /root/intermediate.GlobalSign.crt.pem > /root/example.com-GlogalSign.pem

Export PEM cert and private key in PKCS12 format

openssl pkcs12 -export -in example.com-GlogalSign.pem -inkey ./example.com.key -out /root/example.com-Globalsign.p12 -name Example-GlobalSign

Import PKCS12 (.p12) certificate in NSS DB

pk12util -i /root/example.com-Globalsign.p12 -d /etc/httpd/alias

The password for NSS DB you can found here: /etc/httpd/alias/pwdfile.txt

You can verify your certificate using following command

certutil -L -d /etc/httpd/alias -n Example-GlobalSign

put Example-GlobalSign nickname in nss.conf config file

NSSNickname Example-GlobalSign

Restart HTTPD

service httpd restart

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.