> Because according to the documentation here, it should be possible to switch > https://floblanc.wordpress.com/2017/12/05/demystifying-the-certificate-au... > I installed FreeIPA without any embedded CA but I change my mind? > FreeIPA allows to install an embedded CA at a later time, using > ipa-ca-install. The tool > provides the same options as ipa-server-install: you can either install a > self-signed CA > or an externally signed CA. > Important: installing an embedded CA with ipa-ca-install does not replace the > HTTP and > LDAP server certificates. If they were initially delivered by an external CA, > they will > not be automatically renewed.
Sorry, I pasted it wrong here I installed FreeIPA with a self-signed CA but I’d rather have an externally-signed CA? FreeIPA allows to switch from self-signed CA to externally-signed CA using ipa-cacert-manage renew –external-ca. This is a 2-step process similar to ipa-server-install –external-ca, where the 1st step produces a CSR that needs to be supplied to an external CA. The external CA then issues a CA cert that is provided back to ipa-cacert-manage renew through the –external-cert-file option. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
