Oliver Burtchen wrote:
Hi Rob,

thanks for the answer. I know about the externel CA-Cert possibility of ipa-
server- install. But it does not what I want.

I did setup a dogtag ca and a fedora-ds (389). It would be nice, if freeipa could just use them. I find it a little bit inconsitent that dogtag tries to be a central service, and freeipa claims to be the same, setting up a new one.

Well, it gets tricky because we need an RA certificate in IPA and there is no automated way to get this with an existing dogtag installation. This is why making IPA a subordinate CA is suggested, so you can continue with your existing central authority.

I'm sure it's possible to wedge in an existing dogtag instance, it would just take a bit of work and lots of code reading. Among the things you'd have to do are:

- change the dogtag ports in IPA
- have your CA issue an RA certificate and trust that user in the existing CA - load that RA cert and private key into /etc/httpd/alias using the right nickname
- set the right CA type in /etc/ipa/default.conf on the IPA server

Perhaps some other things I'm missing. I'm not sure how cloning will work in this case.

BTW.: Freeipa setup tells me, that it should be the only 389-instance, and exist gracefully. Well, my dogtag and bind setup with 389-backend works quiet well, i just want freeipa to use them.

IPA is really geared for configuration on a fresh install. We have to touch so many things the installation is difficult as it is. Having to integrate with a lot of existing services makes this doubly more difficult. You can always disable the check (only via code now, no arguments for this).

Is there a possibility to setup freeipa this way? Thanks for the all in one setup, but it means I cannot run an other ldap (389) server(-instance) on a machine where freeipa is running. Is this right?

You can't if it is already installed, at least not without a small code change.

We have to use the 80/20 rule here and try to have some control over the initial environment before trying the installation. It is probably possible to do what you want given time and patience but we are unlikely to do this in the near future.


Best regards,

Am Freitag, 9. April 2010 23:42:54 schrieb Rob Crittenden:
Oliver Burtchen wrote:
Hi @all,

is it possible to use an already configured und running dogtag-instance
for freeipa V2 in the installation process? I would like to give
ipa-server- install just the params for the dogtag-instance/server to
use, and skip its own creation-process (pkisilence ...).

Or are there arguments for an extra CA used by freeipa?

Background: I customized dogtag for my needs (using SHA256, default to 10
year validity of ca-SigningCert, organization and location defaults, etc.

Best regards,
Probably the best way to do it would be to use the external CA install
option (--external-ca). This is a two-step installation process. The
first step generates a CSR for the IPA CA. You take this CSR to your
existing CA and issue a subordinate CA certificate that will be used by
IPA. Then you continue the IPA Installation and it sets up a separate
dogtag instance with this subordinate CA.

It might be possible to wedge in an existing dogtag install into IPA in
another way but I haven't yet tried it.


Freeipa-users mailing list

Reply via email to