Product SiteDocumentation Site

16.3. Configuring Alternate Certificate Authorities

FreeIPA creates a Dogtag Certificate System certificate authority (CA) during the server installation process. To use an external CA, it is possible to create the required server certificates and then import them into the 389 Directory Server and the HTTP server, which require FreeIPA server certificates.


Save an ASCII copy of the CA certificate as /usr/share/ipa/html/ca.crt. This allows users to download the correct certificate when they configure their browsers.
  1. Use the ipa-server-certinstall command to install the certificate.
    # /usr/sbin/ipa-server-certinstall -d /path/to/pkcs12.p12
  2. To keep using browser autoconfiguration in Firefox, regenerate the /usr/share/ipa/html/configure.jar file.
    1. Create a directory, and then create the new security databases in that directory.
      # mkdir /tmp/signdb
      # certutil -N -d /tmp/signdb
    2. Import the PKCS #12 file for the signing certificate into that directory.
      # pk12util -i /path/to/pkcs12.p12 -d /tmp/signdb
    3. Make a temporary signing directory, and copy the FreeIPA JavaScript file to that directory.
      # mkdir /tmp/sign
      # cp /usr/share/ipa/html/preferences.html /tmp/sign
    4. Use the object signing certificate to sign the JavaScript file and to regenerate the configure.jar file.
      # signtool -d /tmp/signdb -k Signing_cert_nickname -Z /usr/share/ipa/html/configure.jar -e .html /tmp/sign