David Christensen wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rob Crittenden wrote:
David Christensen wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rob Crittenden wrote:
David Christensen wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If freeIPA was installed and a CA signed cert was not used during the
install and instead the freeipa generated one was used, it is possible
to import one post install?
There is a tool to do that, ipa-server-certinstall.

If not this is not possible or rather difficult, is it possible to
backup the freeIPA DB and import it after a new install to use the
legit
CA cert?
It isn't too difficult to do but you have to understand the
ramifications. When you create any replicas you'll need to provide two
certificates for it (one for Apache and one for 389) in the form of
PKCS#12 files and they need to be issued from the same CA as your other
IPA servers (or they must already be trusted).

You just have to be very careful, basically.

rob
Thanks for the info Rob.

Does the same ramification exist using the ipa-server-certinstall tool
Yes, once you replace the self-signed CA you'll be responsible for
providing all future certificates via PKCS#12 files and ensuring that
the required CA certs will be available for trust purposes.

It isn't an overwhelming task but can be confusing for those new to SSL.

rob

Thanks for clarifying.  Can the tool be used on replicas?  I created a
replica for multimaster replication using the default install so I will
need to import the SSL cert for both ipa servers.

Yes, it should work fine on replicas too.

rob

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to