On 12/23/19 1:19 PM, White, Daniel E. (GSFC-770.0)[NICS] via
FreeIPA-users wrote:
I have two IdM/FreeIPA instances running in a test lab environment,
built with self-signed certs and CA. Both have CA installed.
I want to replace the self-signed with a real, external CA as it will be
in production.
Hi,
you can follow the steps in
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/change-cert-chaining
As you are interested in self-signed -> externally-signed CA, the doc
will redirect you to
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/cert-renewal#manual-cert-renewal
You will need to run
ipa-cacert-manage renew --external-ca
The command will produce a CSR that you need to submit to the external
CA. When you receive the cert, you will need to run
ipa-cacert-manage renew --external-cert-file=/path/to/new/cacert.pem
Note: as a prerequisite, the external CA cert needs to be known by IPA.
In order to do that, run
ipa-cacert-manage install -t CT,C,C /path/to/externalCA.pem
then (on all nodes)
ipa-certupdate
(if the chain is complex and contains a rootCA + a subCA, run the
command a first time with the rootCA, then a second time with the subCA).
HTH,
flo
Would I use this:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/ca-less-to-ca
Red Hat Enterprise Linux 7 : Linux Domain Identity, Authentication, and
Policy Guide - 26.8. Installing a CA Into an Existing IdM Domain
or this:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/cert-renewal#manual-cert-renewal-ext
Red Hat Enterprise Linux 7 : Linux Domain Identity, Authentication, and
Policy Guide - 26.2.2.2. Renewing an Externally-Signed IdM CA
Certificate Manually
This use-case is not clearly documented (if at all)
*______________________________________________________________________________________________*
**
*Daniel E. White**
**[email protected] <mailto:[email protected]>***
*NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771***
*Office: (301) 286-6919***
*Mobile: (240) 513-5290*
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
