Hi Rob,

thanks for the answer. I know about the externel CA-Cert possibility of ipa-
server- install. But it does not what I want.

I did setup a dogtag ca and a fedora-ds (389). It would be nice, if freeipa 
could just use them. I find it a little bit inconsitent that dogtag tries to be 
a central service, and freeipa claims to be the same, setting up a new one. 

BTW.: Freeipa setup tells me, that it should be the only 389-instance, and 
exist gracefully. Well, my dogtag and bind setup with 389-backend works quiet 
well, i just want freeipa to use them.

Is there a possibility to setup freeipa this way? Thanks for the all in one 
setup, but it means I cannot run an other ldap (389) server(-instance) on a 
machine where freeipa is running. Is this right?

Best regards,

Am Freitag, 9. April 2010 23:42:54 schrieb Rob Crittenden:
> Oliver Burtchen wrote:
> > Hi @all,
> >
> > is it possible to use an already configured und running dogtag-instance
> > for freeipa V2 in the installation process? I would like to give
> > ipa-server- install just the params for the dogtag-instance/server to
> > use, and skip its own creation-process (pkisilence ...).
> >
> > Or are there arguments for an extra CA used by freeipa?
> >
> > Background: I customized dogtag for my needs (using SHA256, default to 10
> > year validity of ca-SigningCert, organization and location defaults, etc.
> > ).
> >
> > Best regards,
> > Oli
> Probably the best way to do it would be to use the external CA install
> option (--external-ca). This is a two-step installation process. The
> first step generates a CSR for the IPA CA. You take this CSR to your
> existing CA and issue a subordinate CA certificate that will be used by
> IPA. Then you continue the IPA Installation and it sets up a separate
> dogtag instance with this subordinate CA.
> It might be possible to wedge in an existing dogtag install into IPA in
> another way but I haven't yet tried it.
> rob

Oliver Burtchen, Berlin

Freeipa-users mailing list

Reply via email to