I did the default IPA install, didnt change any certs or anything. As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA. I was wondering if there was a way i could do that.
I found this - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP I am currently running 3.0.0. On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal <d...@redhat.com> wrote: > On 10/13/2014 03:39 PM, quest monger wrote: > > I found some documentation for getting certificate signed by external CA > (220.127.116.11. Using Different CA Configurations) - > http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html > > But looks like those instructions apply to a first time fresh install, > not for upgrading an existing install. > > > > On Mon, Oct 13, 2014 at 3:24 PM, quest monger <quest.mon...@gmail.com> > wrote: > >> I was told by my admin team that Self-signed certs pose a security risk. >> >> >> On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden <rcrit...@redhat.com> >> wrote: >> >>> quest monger wrote: >>> > Hello All, >>> > >>> > I installed FreeIPA server on a CentOS host. I have 20+ Linux and >>> > Solaris clients hooked up to it. SSH and Sudo works on all clients. >>> > >>> > I would like to replace the self-signed cert that is used on Port 389 >>> > and 636. >>> > >>> > Is there a way to do this without re-installing the server and clients. >>> >>> Why do you want to do this? >>> >>> rob >>> >>> >> > > > > Do I get it right that you installed IPA using self-signed certificate and > now want to change it? > What version of IPA you have? Did you use self-signed CA-less install or > using self-signed CA? > The tools to change the chaining are only being released in 4.1 so you > might have to move to latest when we release 4.1 for CentOS. > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project