David Kupka wrote: > On 22/09/15 17:02, James Masson wrote: >> >> Hi, >> >> we're building IPAs in an automated fashion, for environments that get >> created and destroyed a lot. At the moment, the CA certs used inside >> these IPAs are self-signed, as part of the normal "ipa-server-install" >> setup process. >> >> We would like to switch to issuing signed intermediate CA certs to the >> IPAs we deploy. >> >> The documentation lists the two part process necessary for this. First >> "--external-ca" - and then "--external-cert-file" >> >> Are there any ways to skip this, and give the setup process a known >> public/private key+cert up front? I'm hoping to avoid the need to have >> to use/send this automatically generated CSR every time. >> >> thanks >> >> James M >> > > Hello James, > currently it's not possible but making installation with externally > signed CA single step sounds really useful to me. > Currently certmonger is generating the CSR for FreeIPA server in the > first step of installation. Certmonger is also able to send certificate > to external CA for signing. > > I'm not sure if we could combine these two cermonger's abilities right > now but if not it shouldn't be difficult to add functionality to > certmonger to send the CSR to preconfigured CA instead of just storing > it in file. > > This would of course require configuring the certmonger with information > about the CA before FreeIPA server installation but it's just one > command (getcert-add-ca). > > Could you please file a ticket > (https://fedorahosted.org/freeipa/newticket)? >
Unless something has radically changed AFAIK dogtag generates its own keys and certmonger simply tracks the cert it issues after-the-fact. There may be room there to use certmonger with sub-CAs since those are really just separate profiles, but for the initial install I don't believe certmonger is used. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
