Hi there,

My understanding is the only way to install a third party cert is to 
start from scratch.  The part that is unclear to me is if there is a 
method of exporting the data prior to, and importing the data after the 
fresh instance of freeipa has been installed.  I assume that one would 
also have to re-install all clients utilizing freeipa.

Thanks,
Bill

On Mon Oct 13 15:45:05 2014, quest monger wrote:
> I did the default IPA install, didnt change any certs or anything.
> As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and
> one on port 636 (LDAPS). These certs dont have a trust chain, hence i
> called them self-signed.
> We have a contract with a third party CA that issues TLS certs for us. I
> was asked to find a way to replace those 2 self signed certs with certs
> from this third party CA.
> I was wondering if there was a way i could do that.
>
> I found this -
> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>
> I am currently running 3.0.0.
>
>
>
> On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal <d...@redhat.com> wrote:
>
>>  On 10/13/2014 03:39 PM, quest monger wrote:
>>
>> I found some documentation for getting certificate signed by external CA
>> (2.3.3.2. Using Different CA Configurations) -
>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html
>>
>>  But looks like those instructions apply to a first time fresh install,
>> not for upgrading an existing install.
>>
>>
>>
>> On Mon, Oct 13, 2014 at 3:24 PM, quest monger <quest.mon...@gmail.com>
>> wrote:
>>
>>> I was told by my admin team that Self-signed certs pose a security risk.
>>>
>>>
>>> On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden <rcrit...@redhat.com>
>>> wrote:
>>>
>>>>  quest monger wrote:
>>>>> Hello All,
>>>>>
>>>>> I installed FreeIPA server on a CentOS host. I have 20+ Linux and
>>>>> Solaris clients hooked up to it. SSH and Sudo works on all clients.
>>>>>
>>>>> I would like to replace the self-signed cert that is used on Port 389
>>>>> and 636.
>>>>>
>>>>> Is there a way to do this without re-installing the server and clients.
>>>>
>>>>  Why do you want to do this?
>>>>
>>>> rob
>>>>
>>>>
>>>
>>
>>
>>
>> Do I get it right that you installed IPA using self-signed certificate and
>> now want to change it?
>> What version of IPA you have? Did you use self-signed CA-less install or
>> using self-signed CA?
>> The tools to change the chaining are only being released in 4.1 so you
>> might have to move to latest when we release 4.1 for CentOS.
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>
>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to