roy liang via FreeIPA-users wrote: >> https://mariadb.com/docs/security/data-in-transit-encryption/create-self-... >> >> Pem client-req.pem is replaced by httpd.pem, which is the same error. How do >> I need to >> generate the certificate to execute it correctly?Freeipa document part is >> really difficult >> to find, please help, thank you > > root@migration-ipa-65:~/maria_ca# ipa-cacert-manage -p directorypassxx -n > yydevopsca -t C,, install ca-cert.pem > Installing CA certificate, please wait > CA certificate successfully installed > The ipa-cacert-manage command was successful > root@migration-ipa-65:~/maria_ca# ipa-certupdate > trying https://migration-ipa-65.185.hiido.host.yydevops.com/ipa/json > Forwarding 'ca_is_enabled' to json server > 'https://migration-ipa-65.185.hiido.host.yydevops.com/ipa/json' > Systemwide CA database updated. > Systemwide CA database updated. > The ipa-certupdate command was successful > root@migration-ipa-65:~/maria_ca# ipa-server-certinstall -w -d > /root/maria_ca/server-key.pem /root/maria_ca/server-cert.pem > Directory Manager password: > > Enter private key unlock password: > > The ipa-server-certinstall command was successful > > > Resolved, there is a host name limitation, hope the document can be completed
Documents like this are for testing purposes only. We don't want to encourage/enable users to roll their own PKI solution as it is bound to lead to problems. The mariadb instructions issue 10-year server certificates which is well out of best practices for production systems. It also almost guarantees that this will all have to be re-done from scratch because in 10 years either nobody will remember how to issue new certificates or the CA key will be lost to time. The certificates it generates also don't follow X.509 best practices regarding extensions. They may work fine for you but it's a time bomb and you could have interoperability problems. If you do intend to maintain your own I'd strongly encourage you to take steps to protect the CA key and retain instructions for issuing new certificates for when they eventually expire and set a calendar reminder. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
