Oliver Burtchen wrote:
Hi @all,

is it possible to use an already configured und running dogtag-instance for freeipa V2 in the installation process? I would like to give ipa-server- install just the params for the dogtag-instance/server to use, and skip its own creation-process (pkisilence ...).

Or are there arguments for an extra CA used by freeipa?

Background: I customized dogtag for my needs (using SHA256, default to 10 year validity of ca-SigningCert, organization and location defaults, etc. ).

Best regards,

Probably the best way to do it would be to use the external CA install option (--external-ca). This is a two-step installation process. The first step generates a CSR for the IPA CA. You take this CSR to your existing CA and issue a subordinate CA certificate that will be used by IPA. Then you continue the IPA Installation and it sets up a separate dogtag instance with this subordinate CA.

It might be possible to wedge in an existing dogtag install into IPA in another way but I haven't yet tried it.


Freeipa-users mailing list

Reply via email to