Description of problem: This would be much easier to understand with an example of exporting the crt to ASCII. Version-Release number of selected component (if applicable): 1.0 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
It seems there was a lot more wrong/missing in this procedure than realized. I'm working with Rob to fix it.
I think this makes more sense now. If my test machine stops breaking I'll have a go at testing it.
Fix Verified: Following exists in Section 2.4 of Client config Guide: 1. Modify the following in the /etc/ldap.conf file: URI ldap://ipaserver.example.com BASE dc=example,dc=com HOST ipaserver.example.com TLS_CACERTDIR /etc/cacerts/ TLS_REQCERT allow 2. Log in to the client machine, and become the root user. 3. Change to the directory where you need to install the CA certificate. # cd /etc/cacerts 4 Run the following command to copy the CA certificate from the server to the client: # wget http://ipaserver.example.com/ipa/config/ca.crt If you installed IPA using your own PKCS#12 files then this self-signed CA will not exist. 5. Install the CA certificate as follows: # cp cacert.crt /etc/cacerts/`openssl x509 -noout -hash -in cacert.crt`.0 6. If more than one CA certificate is required, concatenate these certificates into a single file.
Closing.