On 07/17/2018 10:58 AM, Jan Gardian via FreeIPA-users wrote:
Hello,
Could you please recommend procedure to replace self signed IPA
certificate with external signed CA?
I found this
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#manual-cert-renewal-ext
Hi,
if you want to replace a self-signed IPA CA with an externally signed
IPA CA, you need to use the instructions from
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#change-cert-chaining
(that basically point to the link you already found).
ipa-cacert-manage renew --external-ca is the right tool for this procedure.
HTH,
Flo
but it is for renewal and I am not sure if it can be used for replacement.
In manual pages for ipa-cacert-manage there is option install but in
statements it has: "Important: this does not replace IPA CA but adds the
provided certificate as a known CA. This is useful for instance when
using ipa-server-certinstall to replace HTTP/LDAP certificates with
third-party certificates signed by this additional CA."
Thank you
--
With kind regards
*Ján Gardian*
Administrator
CYAN RD
**
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/P66YFSWLEVKIZYVDAYKS366YLRELA6WV/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/DI73VLJ4WCN43XMTXEBTJAQ2NVAPDITB/