> Hi,
>
> maybe you can explain first what you're trying to achieve. Do you want to
> install IPA without a CA? If it's a fresh installation, you can use
> ipa-server-install and provide the HTTP/LDAP/PKINIT certificates using the
> options --dirsrv-cert-file / --http-cert-file / --pkinit-cert-file /
> --dirsrv-pin / --http-pin / --pkinit-pin and provide the CA with
> --ca-cert-file. This way, you don't need to go through the painful steps of
> removing the CA functionality from IPA.
> For more information please refer to Determining What CA Configuration to
> Use [1], and Installing Without a CA [2].
> I'm pointing to RHEL7 documentation as you mentioned you're using ipa 4.3
> (which is a bit outdated...)
>
> The blog you're referring to clearly mentions that there is *no supported
> way to remove the CA from a CA-ful deployment*. The instructions are
> provided for you to try but are not officially supported.
>
> On Tue, Jul 5, 2022 at 1:31 PM roy liang via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> wrote:
>
>
>
> If you remove the embedded CA, be aware that any certificate issued by this
> CA will not be trusted any more. This blog may help you understand what the
> CA does in IPA: Demystifying the Certificate Authority component in FreeIPA
> [3]
>
>
>
> If no entry is found, then there is no need to delete anything. You can
> skip this step.
>
>
> Please read Certificate Authority ACL Rules [4] to understand what are CA
> ACL entries.
>
> HTH,
> flo
>
> [1]
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
> [2]
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
> [3]
> https://floblanc.wordpress.com/2017/12/05/demystifying-the-certificate-au...
> [4]
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
I hope to make the service normal by changing the CA, as long as a new copy can
be made, even if the CA related security components can be completely deleted.
Our Intranet is not very important for security, as long as the service can
work normally, I hope to have a document guidance in this respect
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
