Setting up IPA with a specific CA cert subject

If you are doing experiments with IPA where you install and reinstall IPA servers, you may notice SSL certificate errors when connecting to an IPA server using Firefox. The reason is that always the same Organization and serial is used when the CA cert is created.

Normal users are usually only affected when using the same Realm and DNS subdomain for the test and production environment which is not recommended anyway.

Reproducing the issue
1. Set up IPA with ipa-server-install.
2. Connect to the WebUI using Firefox.
3. Unconfigure IPA with ipa-server-install –uninstall.
4. Configure IPA again with ipa-server-install.
5. Connect to the WebUI using Firefox again and figure out its not working and trows an error message like “An error occurred during a connection to You have received an invalid certificate”.

See also FreeIPA Ticket #2016.

Unfortunately it is not trivial to fix this behavior as different components need to be changed.

There is an easy workaround for this issue. Just provide the –subject when configuring IPA.

[root@ipa1 ~]# ipa-server-install --subject="O=EXAMPLE.COM 201511291216" --more-options-as-you-need

The O=EXAMPLE.COM should be replaced with the Realm you plan to set up, the number should be something like <year><month><day><hour><minute>

Unfortunately I dont know if there is an easy way to change already set up servers as the CA cert would need to be recreated.

Leave a Reply

Your email address will not be published. Required fields are marked *