I personally haven't done this, but from https://www.freeipa.org/page/PKI
"when --external-ca option is used, ipa-server-install produces a certificate certificate request for it's CA certificate so that it can be properly chained in existing PKI infrastructure." and from https://www.redhat.com/archives/freeipa-users/2014-January/msg00057.html "First run ipa-server-install with --external-ca, which will create a CSR for IPA CA certificate in /root/ipa.csr. Then sign the CSR with the external CA to get the IPA CA certificate. Finally, run ipa-server-install with --external_cert_file pointing to the IPA CA certificate and --external_ca_file pointing to CA certificate of the external CA." >From that previous paragraph, it looks like the --external-ca option doesn't actually install anything, just creates the correct CSR for the domain you intend to create. If you can create a temporary CentOS virtual machine you could run the "ipa-server-install --external-ca" command and see what happens :) Hope this helps, Anthony Clark On Wed, Jul 27, 2016 at 11:24 PM, William Muriithi < [email protected]> wrote: > Hello > > I want to use an external certificate when setting up a new FreeIPA > next week and plan to send the CSR tomorrow. > > I would like to source a certificate for example.com and use it on > FreeIPA on eng.example.com. I can't specifically set the FreeIPA on > example.com because we have active directory on corp.example.com > > Is there a way for using FreeIPA with such a setup? I am hoping that > if I can setup FreeIPA using example.com, I can be able to generate > certificates for both Windows and Linux plus other like > vpn.example.com that don't sit well on either AD or FreeIPA domain. > > Whats the best way to approach this? If not possible, would setting > FreeIPA as a sub domain for active directory help? > > Regards, > > William > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
