Bryan Fang via FreeIPA-users wrote: > After adding certificates and chain of *.domain.com to /etc/ipa/ca.crt in > master freeipa, then copy the ca.crt file to client machine, and rename it to > ca.pem with > mv ca.crt ca.pem > this ca.pem includes all required certificates for both ipa server and https > server, then run ipa-client-install command like below, it will work for new > client machine > > ipa-client-install --mkhomedir --domain=domain2.com --server=ipa.domain.com > --realm=DOMAIN.COM --force-ntpd --hostname=ipa.domain2.com -d > --ca-cert-file=/home/ec2-user/ca.pem
If you use ipa-cacert-manage to load the external CA certificates onto the IPA server then using a custom ca-cert-file shouldn't be necessary as the entire cert chain will be pulled down as part of the installation. Note that when you add custom certificates you should run ipa-certupdate on all IPA hosts, clients and servers, to pull in the new chain. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
