On 10/13/2014 06:45 PM, quest monger wrote:
I did the default IPA install, didnt change any certs or anything.
As part of that install, it now shows 2 certs, one on port 443 (HTTPS)
and one on port 636 (LDAPS). These certs dont have a trust chain,
hence i called them self-signed.
We have a contract with a third party CA that issues TLS certs for us.
I was asked to find a way to replace those 2 self signed certs with
certs from this third party CA.
I was wondering if there was a way i could do that.
I found this -
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
I am currently running 3.0.0.
AFAIU the biggest issue will be with the clients.
I suspect that they might be quite confused if you just drop in the
certs from the 3rd party.
If you noticed the page has the following line:
"The certificate in mysite.crt must be signed by the CA used when
installing FreeIPA." I think it should say by "external" CA to be clear.
It is not the case in your situation. If it were the situation the CA
would have been already in trust chain on the clients and procedure
would have worked but I do not think it would work now.
You would need to use the cert chaining tool that was was built in 4.1
when 4.1 gets released on CentOS.
On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal <[email protected]
<mailto:[email protected]>> wrote:
On 10/13/2014 03:39 PM, quest monger wrote:
I found some documentation for getting certificate signed by
external CA (2.3.3.2. Using Different CA Configurations) -
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html
But looks like those instructions apply to a first time fresh
install, not for upgrading an existing install.
On Mon, Oct 13, 2014 at 3:24 PM, quest monger
<[email protected] <mailto:[email protected]>> wrote:
I was told by my admin team that Self-signed certs pose a
security risk.
On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden
<[email protected] <mailto:[email protected]>> wrote:
quest monger wrote:
> Hello All,
>
> I installed FreeIPA server on a CentOS host. I have 20+
Linux and
> Solaris clients hooked up to it. SSH and Sudo works on
all clients.
>
> I would like to replace the self-signed cert that is
used on Port 389
> and 636.
>
> Is there a way to do this without re-installing the
server and clients.
Why do you want to do this?
rob
Do I get it right that you installed IPA using self-signed
certificate and now want to change it?
What version of IPA you have? Did you use self-signed CA-less
install or using self-signed CA?
The tools to change the chaining are only being released in 4.1 so
you might have to move to latest when we release 4.1 for CentOS.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
