On 10/13/2014 06:45 PM, quest monger wrote:
I did the default IPA install, didnt change any certs or anything.
As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed. We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA.
I was wondering if there was a way i could do that.

I found this - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

I am currently running 3.0.0.



AFAIU the biggest issue will be with the clients.
I suspect that they might be quite confused if you just drop in the certs from the 3rd party.
If you noticed the page has the following line:
"The certificate in mysite.crt must be signed by the CA used when installing FreeIPA." I think it should say by "external" CA to be clear. It is not the case in your situation. If it were the situation the CA would have been already in trust chain on the clients and procedure would have worked but I do not think it would work now. You would need to use the cert chaining tool that was was built in 4.1 when 4.1 gets released on CentOS.




On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>> wrote:

    On 10/13/2014 03:39 PM, quest monger wrote:
    I found some documentation for getting certificate signed by
    external CA (2.3.3.2. Using Different CA Configurations) -
    
http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html


    But looks like those instructions apply to a first time fresh
    install, not for upgrading an existing install.



    On Mon, Oct 13, 2014 at 3:24 PM, quest monger
    <quest.mon...@gmail.com <mailto:quest.mon...@gmail.com>> wrote:

        I was told by my admin team that Self-signed certs pose a
        security risk.


        On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden
        <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote:

            quest monger wrote:
            > Hello All,
            >
            > I installed FreeIPA server on a CentOS host. I have 20+
            Linux and
            > Solaris clients hooked up to it. SSH and Sudo works on
            all clients.
            >
            > I would like to replace the self-signed cert that is
            used on Port 389
            > and 636.
            >
            > Is there a way to do this without re-installing the
            server and clients.

            Why do you want to do this?

            rob






    Do I get it right that you installed IPA using self-signed
    certificate and now want to change it?
    What version of IPA you have? Did you use self-signed CA-less
    install or using self-signed CA?
    The tools to change the chaining are only being released in 4.1 so
    you might have to move to latest when we release 4.1 for CentOS.


-- Thank you,
    Dmitri Pal

    Sr. Engineering Manager IdM portfolio
    Red Hat, Inc.


    --
    Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    Go To http://freeipa.org for more info on the project




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to