On Fri, Mar 13, 2015 at 4:44 PM, Rob Crittenden <[email protected]> wrote:
> The CA-less install was improved in IPA 3.3. It can sorta work in 3.0 > but it will be bumpy. A number of bugs were fixed in > ipa-server-certinstall, the tool used to replace the IPA certs with > user-provided certs. Or you can pass in PKCS#12 files during the install > but the root CA is implicit in that case so you need to be careful in > creating the file. > > You still need an SSL cert for LDAP as well. SSL is used to bootstrap > replication when a new master is set up. When that is done the agreement > is converted to using GSSAPI. > Aha, I was about to ask about this since a CA-less install still requires dirsrv cert. Thanks. > The clients (depending on version) will still ask for a host cert on > install but it is generally treated as a non-fatal error if one isn't > obtained. > Was also going to ask about this since the v3 CA-less wiki page mentions the need to obtain host certs but is not very clear about what it was used for. > Otherwise it should work, but as Dmitri points out you are limiting > yourself upgrade-wise. The only migration paths from one version of IPA > to another is replication, in which case you still wouldn't be able to > add a CA, or via the LDAP migration routines which only migrate users > and groups currently. > Not being able to do the upgrade easily will definitely be a showstopper. Ok, I'm going to go back to attempting to sign the IPA CA with our own, then, and I'll open a separate thread if that doesn't work. I may just start from scratch with that. Thank you Dmitri and Rob for the clear/concise info. johnny
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
