Hi there, My understanding is the only way to install a third party cert is to start from scratch. The part that is unclear to me is if there is a method of exporting the data prior to, and importing the data after the fresh instance of freeipa has been installed. I assume that one would also have to re-install all clients utilizing freeipa.
Thanks, Bill On Mon Oct 13 15:45:05 2014, quest monger wrote: > I did the default IPA install, didnt change any certs or anything. > As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and > one on port 636 (LDAPS). These certs dont have a trust chain, hence i > called them self-signed. > We have a contract with a third party CA that issues TLS certs for us. I > was asked to find a way to replace those 2 self signed certs with certs > from this third party CA. > I was wondering if there was a way i could do that. > > I found this - > http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP > > I am currently running 3.0.0. > > > > On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal <[email protected]> wrote: > >> On 10/13/2014 03:39 PM, quest monger wrote: >> >> I found some documentation for getting certificate signed by external CA >> (2.3.3.2. Using Different CA Configurations) - >> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html >> >> But looks like those instructions apply to a first time fresh install, >> not for upgrading an existing install. >> >> >> >> On Mon, Oct 13, 2014 at 3:24 PM, quest monger <[email protected]> >> wrote: >> >>> I was told by my admin team that Self-signed certs pose a security risk. >>> >>> >>> On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden <[email protected]> >>> wrote: >>> >>>> quest monger wrote: >>>>> Hello All, >>>>> >>>>> I installed FreeIPA server on a CentOS host. I have 20+ Linux and >>>>> Solaris clients hooked up to it. SSH and Sudo works on all clients. >>>>> >>>>> I would like to replace the self-signed cert that is used on Port 389 >>>>> and 636. >>>>> >>>>> Is there a way to do this without re-installing the server and clients. >>>> >>>> Why do you want to do this? >>>> >>>> rob >>>> >>>> >>> >> >> >> >> Do I get it right that you installed IPA using self-signed certificate and >> now want to change it? >> What version of IPA you have? Did you use self-signed CA-less install or >> using self-signed CA? >> The tools to change the chaining are only being released in 4.1 so you >> might have to move to latest when we release 4.1 for CentOS. >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go To http://freeipa.org for more info on the project >> > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
