Hi, maybe you can explain first what you're trying to achieve. Do you want to install IPA without a CA? If it's a fresh installation, you can use ipa-server-install and provide the HTTP/LDAP/PKINIT certificates using the options --dirsrv-cert-file / --http-cert-file / --pkinit-cert-file / --dirsrv-pin / --http-pin / --pkinit-pin and provide the CA with --ca-cert-file. This way, you don't need to go through the painful steps of removing the CA functionality from IPA. For more information please refer to Determining What CA Configuration to Use [1], and Installing Without a CA [2]. I'm pointing to RHEL7 documentation as you mentioned you're using ipa 4.3 (which is a bit outdated...)
The blog you're referring to clearly mentions that there is *no supported way to remove the CA from a CA-ful deployment*. The instructions are provided for you to try but are not officially supported. On Tue, Jul 5, 2022 at 1:31 PM roy liang via FreeIPA-users < [email protected]> wrote: > https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > I have generated my own CA and CA sub-certificates and successfully added > them according to this document. Now I want to remove the previous CA and > CA-related sub-certificates in the system. If you remove the embedded CA, be aware that any certificate issued by this CA will not be trusted any more. This blog may help you understand what the CA does in IPA: Demystifying the Certificate Authority component in FreeIPA [3] > According to the steps in this document, I am currently stuck in this step. > > https://frasertweedale.github.io/blog-redhat/posts/2019-10-24-removing-ipa-ca.html#delete-ipa-ca-and-sub-ca-entries > How do I do that > > my linux ubuntu16.04 freeipa4.3 > > 1: > #ldapsearch -Y GSSAPI -QLLL -b > cn=masters,cn=ipa,cn=etc,dc=yydevops,dc=com '(cn=CA)' > dn: cn=CA,cn=migration-ipa-65-214.hiido.host.yydevops.com > ,cn=masters,cn=ipa,cn > =etc,dc=yydevops,dc=com > objectClass: ipaConfigObject > objectClass: nsContainer > objectClass: top > ipaConfigString: enabledService > ipaConfigString: startOrder 50 > ipaConfigString: caRenewalMaster > cn: CA > > #ldapdelete -Y GSSAPI -Q cn=CA,cn= > migration-ipa-65-214.hiido.host.yydevops.com > ,cn=masters,cn=ipa,cn=etc,dc=yydevops,dc=com > > 2: > #ldapsearch -h localhost -p 389 -D cn="directory manager" -w > directorypassxx -b cn=certificates,cn=ipa,cn=etc,dc=yydevops,dc=com | > grep ^dn: > > dn: cn=certificates,cn=ipa,cn=etc,dc=yydevops,dc=com > dn: cn=YYDEVOPS.COM IPA > CA,cn=certificates,cn=ipa,cn=etc,dc=yydevops,dc=com > dn: cn=newca,cn=certificates,cn=ipa,cn=etc,dc=yydevops,dc=com > > ldapdelete -Y GSSAPI -Q "cn=YYDEVOPS.COM IPA > CA,cn=certificates,cn=ipa,cn=etc,dc=yydevops,dc=com" > > 3: > # certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/ -L > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > newca u,u,u > YYDEVOPS.COM IPA CA CT,C,C > newca C,, > > #certutil -d /etc/dirsrv/slapd-YYDEVOPS-COM/ -D -n 'YYDEVOPS.COM IPA CA' > #certutil -d /etc/ipa/nssdb -D -n 'YYDEVOPS.COM IPA CA' > > 4: > #ldapsearch -Y GSSAPI -QLLL -b dc=yydevops,dc=com '(objectclass=ipaca)' 1.1 > I can't find any iPACA entry certificate here, why?How do I delete the > original sub-ca entries for this system > If no entry is found, then there is no need to delete anything. You can skip this step. > > 5: > Are the entries in ipacaACL sub-ca entries? Can I delete this entry? ipaca > and ipacaacl Will it make any difference? > root@migration-ipa-65-214:~/new_ca# ldapsearch -Y GSSAPI -QLLL -b > dc=yydevops,dc=com | grep ipaca > ipaReplTopoManagedSuffix: o=ipaca > objectClass: ipacaacl > ipaReplTopoConfRoot: o=ipaca > ipaPermTargetFilter: (objectclass=ipacaacl) > ipaPermTargetFilter: (objectclass=ipacaacl) > ipaPermTargetFilter: (objectclass=ipacaacl) > ipaPermDefaultAttr: ipacacategory > ipaPermTargetFilter: (objectclass=ipacaacl) > ipaPermTargetFilter: (objectclass=ipacaacl) > ipaPermDefaultAttr: ipacacategory > > root@migration-ipa-65-214:~/new_ca# ldapsearch -Y GSSAPI -QLLL -b > dc=yydevops,dc=com '(objectclass=ipacaacl)' 1.1 > dn: > ipaUniqueID=05c04bac-fc16-11ec-a218-246e967383f8,cn=caacls,cn=ca,dc=yydevo > ps,dc=com > > Can I delete this entry? > ldapdelete -Y GSSAPI -Q > ipaUniqueID=05c04bac-fc16-11ec-a218-246e967383f8,cn=caacls,cn=ca,dc=yydevo > Please read Certificate Authority ACL Rules [4] to understand what are CA ACL entries. HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server#install-determine-ca [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/install-server#install-server-without-ca [3] https://floblanc.wordpress.com/2017/12/05/demystifying-the-certificate-authority-component-in-freeipa/ [4] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#ca-acls > > If not, how do I delete sub-ca entries? request guidance, thank you very > much > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
