Fred van Zwieten wrote:

We have installed IPA in our internal network (let's call it

We have all kinds of internal websites running for various
administrative tasks. These websites are in all kind of subdomains of <>. We would like to have them using a
certificate signed by our CA.

Some internal websites run on IPA-clients, some not.

So, what is the exact workflow to make this happen?

A host doesn't need to be enrolled to get a certificate. You can just use host-add (or the UI) to create the host and potentiall whatever services you want certificates for (HTTP, ldap, whatever).

Then generate a CSR on the host you want the cert for using your favorite crypto tools and pass that to ipa cert-request. The output of that is a signed public cert.

You'll need the CA cert chain as well. It can be retrieved via the web from In 3.1 you can also get it over LDAP in cn=CAcert,cn=ipa,cn=etc,$SUFFIX in the cACertificate attribute.

Also, our internal users must trust the IPA server as a Certificate
Signing Authority. Users use both linux and windows clients and use
various browsers on them. What is the procedure to have them trusting
the IPA server as the CSA?

You can visit the URI for the CA cert directly and you should be prompted to import and trust it in most browsers.


Freeipa-users mailing list

Reply via email to