On 26/11/15 15:22, David Kupka wrote:
On 26/11/15 15:13, David Kupka wrote:
On 26/11/15 15:01, David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/5441


Replaced accidentally inserted tabs.



Fixed indentation I screwed up when replacing tabs :-/



Hello everyone!
I did not realize that not many people know how to verify this.
You need (at least) 2 servers, master and replica and certificates for them. Easiest way to get the certificates is to use Honza's almighty script (attached). Before you run it, edit variables on first few lines to match your environment. When it is run it creates directory (nssdb in your `pwd` by default) populated by various certificate. Both certificates used (replica.p12 and server.p12) must be signed by the same CA (located in the same ca* subdirectory).

To install CA-less IPA server on master:
[master] # ipa-server-install -r EXAMPLE.TEST --http-cert-file /path/to//server.p12 --http-pin password --dirsrv-cert-file /path/to/server.p12 --dirsrv-pin password

Since domain-level is set to 1 ipa-client must be installed first on future replica.
[replica] # ipa-client-install
Note: In case client can't auto-discover IPA server you need to provide --domain and --server options.

After successful installation of ipa-client you can promote it to master:
[replica] # ipa-replica-install --http-cert-file /path/to/replica.p12 --http-pin password --dirsrv-cert-file /path/to/replica.p12 --dirsrv-pin password


--
David Kupka

Attachment: makepki.sh
Description: application/shellscript

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to