On 04/07/2015 02:08 PM, James James wrote: > I will try to give a better explanation : > > > I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been > installed with an external CA about 3 years ago and I will have to renew > the certificate soon. > > I have created a test server (ipa-dev) with the same configuration (centos > 6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev sever > to be installed with an external CA. > > In the same time my external CA has changed and wants the emailAddress > field in the certificate request 's subject.
CSR during installation with external CA is produced by Dogtag, so you are constrained with the options and capabilities provided by ipa-server-install. Maybe it would be possible to modify the CSR and update the Subject manually, but I expect it would crash the installer later (JanC may know more (CCed)) > If it is not possible to add emailAddress in the subject, is it possible to > migrate my ipa-master CA system from an external CA to a CA-less or > self-signed CA ? It is, with ipa-cacert-manage - see links below. > Thanks. > > 2015-04-07 13:48 GMT+02:00 Martin Kosek <[email protected]>: > >> On 04/07/2015 01:44 PM, James James wrote: >>> ok. >>> >>> Is there a way to migrate from an external CA to a CA-less or a >> self-signed >>> CA ? >> >> Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0: >> >> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal >> https://www.freeipa.org/page/V4/CA_certificate_renewal >> >> (Although I am still not sure about your use case and if this would help >> you) >> >>> >>> 2015-04-07 12:51 GMT+02:00 Martin Kosek <[email protected]>: >>> >>>> On 04/03/2015 11:39 AM, James James wrote: >>>>> Hello, >>>>> >>>>> I want to initialize a new replica with an external CA. My Certificate >>>>> Authority wants a CSR with the field emailAddress in the subject like : >>>>> >>>>> /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/[email protected] >>>> >>>> I am not a bit confused. Do you plan to have FreeIPA *without* a CA or >>>> with own >>>> CA signed by external CA? >>>> >>>> FreeIPA supports these kinds of setups right now: >>>> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure >>>> >>>>> How can I do with the ipa-server-install command ? I have been trying >>>> for >>>>> few days but I still can't. >>>>> >>>>> Thanks for your help. >>>> >>>> CCing Honza who should know the definitive answer. However, FreeIPA was >> not >>>> very flexible in configuring special subjects for it's CA certificate >> (i.e. >>>> cn=Certificate Authority, ou=...) or hosts in case of CA-less setup. >>>> >>> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
