-----BEGIN PGP SIGNED MESSAGE-----
Rob Crittenden wrote:
> David Christensen wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> Rob Crittenden wrote:
>>> David Christensen wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>> If freeIPA was installed and a CA signed cert was not used during the
>>>> install and instead the freeipa generated one was used, it is possible
>>>> to import one post install?
>>> There is a tool to do that, ipa-server-certinstall.
>>>> If not this is not possible or rather difficult, is it possible to
>>>> backup the freeIPA DB and import it after a new install to use the
>>>> CA cert?
>>> It isn't too difficult to do but you have to understand the
>>> ramifications. When you create any replicas you'll need to provide two
>>> certificates for it (one for Apache and one for 389) in the form of
>>> PKCS#12 files and they need to be issued from the same CA as your other
>>> IPA servers (or they must already be trusted).
>>> You just have to be very careful, basically.
>> Thanks for the info Rob.
>> Does the same ramification exist using the ipa-server-certinstall tool
> Yes, once you replace the self-signed CA you'll be responsible for
> providing all future certificates via PKCS#12 files and ensuring that
> the required CA certs will be available for trust purposes.
> It isn't an overwhelming task but can be confusing for those new to SSL.
Thanks for clarifying. Can the tool be used on replicas? I created a
replica for multimaster replication using the default install so I will
need to import the SSL cert for both ipa servers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Freeipa-users mailing list