Fred van Zwieten wrote:
We have installed IPA in our internal network (let's call it example.com
We have all kinds of internal websites running for various
administrative tasks. These websites are in all kind of subdomains of
example.com <http://example.com>. We would like to have them using a
certificate signed by our CA.
Some internal websites run on IPA-clients, some not.
So, what is the exact workflow to make this happen?
A host doesn't need to be enrolled to get a certificate. You can just
use host-add (or the UI) to create the host and potentiall whatever
services you want certificates for (HTTP, ldap, whatever).
Then generate a CSR on the host you want the cert for using your
favorite crypto tools and pass that to ipa cert-request. The output of
that is a signed public cert.
You'll need the CA cert chain as well. It can be retrieved via the web
from http://ipa.example.com/ipa/config/ca.crt. In 3.1 you can also get
it over LDAP in cn=CAcert,cn=ipa,cn=etc,$SUFFIX in the cACertificate
Also, our internal users must trust the IPA server as a Certificate
Signing Authority. Users use both linux and windows clients and use
various browsers on them. What is the procedure to have them trusting
the IPA server as the CSA?
You can visit the URI for the CA cert directly and you should be
prompted to import and trust it in most browsers.
Freeipa-users mailing list