On 03/11/2014 12:44 PM, Robert Story wrote:
On Mon, 10 Mar 2014 16:07:54 -0400 Simo wrote:
SS>  >  Unfortunately I've already scrapped that install and just went with
SS>  >  the internal self-signed CA. So far, the only annoyance is that the
SS>  >  webserver also presents a self-signed cert for the UI.  Is it safe to
SS>  >  replace just the web cert with a cert signed by my local CA? Or might
SS>  >  that break something?
SS>  Import the CA cert in your browser.

This is exactly what I'm trying to avoid. Users already have to install our
corporate CA cert, and I'd like to avoid having to install two. I'm hoping
that the cert for the UI could be swapped for one signed by our existing CA.


Senior Software Engineer @ Parsons

Freeipa-users mailing list

There are several options:

a) Resolve the issue with CA chaining. It might be due to some data missing in the cert issued by your corporate CA when you tried to chain things. We can drill down into that. b) You can use the feature available in IPA 3.3 to use CA-less install. It will be in CentOS 7. In this case you can install IPA without any CA and just use you corporate CA. The down side is that all cert related operations of IPA will be disabled. c) Import the cert into the browser or the common certs store. I vaguely remember that this change might have been ported to 6.5 but I am not sure from top of my head.


Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to