Thanks for all the info. I think I will wait for the 4.1 update.




This message (including any attachments) contains confidential information 
intended for a specific individual and purpose, and is protected by law. If you 
are not the intended recipient, you should delete this message and any 
disclosure, copying, or distribution of this message, or the taking of any 
action based on it, by you is strictly prohibited.

v.E.1


-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden
Sent: Tuesday, October 14, 2014 9:43 AM
To: quest monger; d...@redhat.com
Cc: FreeIPA
Subject: Re: [Freeipa-users] Replace Self-Signed Cert

quest monger wrote:
> makes sense.
> i will still try out that cert add command in my test environment, just
> to see if it works.
> looks like for now, 4.1 upgrade is my best option.

IPA 3.x includes a command, ipa-server-certinstall, which will do what
you need. This can be a bumpy process with clients and such which is why
Dmitri suggested using 4.1, but it should still basically work. It
depends greatly on whether the CA issuing the certs is already known by
clients (for example being a default CA shipped by NSS and openssl).

But I'd step cautiously and ask a lot of questions before you proceed.
The IPA certificates are not self-signed. They are issued by a CA
controlled by IPA.  I think your admin's concerns are related to users
getting an unknown CA/cert error. It can be confusing and can train
users to accept any SSL certificate they see which is bad.

There are some downsides to not using the IPA CA:

- no automatic renewal of certificates. This means you need to manually
monitor your infrastructure and renew the certificates before they
expire. Otherwise your identity infrastructure could go down.
- for every replica you set up you will need to get a web and ldap
certificate in advance

rob

>
>
> On Mon, Oct 13, 2014 at 7:01 PM, Dmitri Pal <d...@redhat.com
> <mailto:d...@redhat.com>> wrote:
>
>     On 10/13/2014 06:45 PM, quest monger wrote:
>>     I did the default IPA install, didnt change any certs or anything.
>>     As part of that install, it now shows 2 certs, one on port 443
>>     (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust
>>     chain, hence i called them self-signed.
>>     We have a contract with a third party CA that issues TLS certs for
>>     us. I was asked to find a way to replace those 2 self signed certs
>>     with certs from this third party CA.
>>     I was wondering if there was a way i could do that.
>>
>>     I found this
>>     - http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>>
>>     I am currently running 3.0.0.
>>
>>
>
>     AFAIU the biggest issue will be with the clients.
>     I suspect that they might be quite confused if you just drop in the
>     certs from the 3rd party.
>     If you noticed the page has the following line:
>     "The certificate in mysite.crt must be signed by the CA used when
>     installing FreeIPA." I think it should say by "external" CA to be clear.
>     It is not the case in your situation. If it were the situation the
>     CA would have been already in trust chain on the clients and
>     procedure would have worked but I do not think it would work now.
>     You would need to use the cert chaining tool that was was built in
>     4.1 when 4.1 gets released on CentOS.
>
>
>
>
>>
>>     On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal <d...@redhat.com
>>     <mailto:d...@redhat.com>> wrote:
>>
>>         On 10/13/2014 03:39 PM, quest monger wrote:
>>>         I found some documentation for getting certificate signed by
>>>         external CA (2.3.3.2. Using Different CA Configurations) -
>>>         
>>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html
>>>
>>>
>>>         But looks like those instructions apply to a first time fresh
>>>         install, not for upgrading an existing install.
>>>
>>>
>>>
>>>         On Mon, Oct 13, 2014 at 3:24 PM, quest monger
>>>         <quest.mon...@gmail.com <mailto:quest.mon...@gmail.com>> wrote:
>>>
>>>             I was told by my admin team that Self-signed certs pose a
>>>             security risk.
>>>
>>>
>>>             On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden
>>>             <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote:
>>>
>>>                 quest monger wrote:
>>>                 > Hello All,
>>>                 >
>>>                 > I installed FreeIPA server on a CentOS host. I have
>>>                 20+ Linux and
>>>                 > Solaris clients hooked up to it. SSH and Sudo works
>>>                 on all clients.
>>>                 >
>>>                 > I would like to replace the self-signed cert that
>>>                 is used on Port 389
>>>                 > and 636.
>>>                 >
>>>                 > Is there a way to do this without re-installing the
>>>                 server and clients.
>>>
>>>                 Why do you want to do this?
>>>
>>>                 rob
>>>
>>>
>>>
>>>
>>>
>>
>>         Do I get it right that you installed IPA using self-signed
>>         certificate and now want to change it?
>>         What version of IPA you have? Did you use self-signed CA-less
>>         install or using self-signed CA?
>>         The tools to change the chaining are only being released in
>>         4.1 so you might have to move to latest when we release 4.1
>>         for CentOS.
>>
>>
>>         --
>>         Thank you,
>>         Dmitri Pal
>>
>>         Sr. Engineering Manager IdM portfolio
>>         Red Hat, Inc.
>>
>>
>>         --
>>         Manage your subscription for the Freeipa-users mailing list:
>>         https://www.redhat.com/mailman/listinfo/freeipa-users
>>         Go To http://freeipa.org for more info on the project
>>
>>
>
>
>     --
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager IdM portfolio
>     Red Hat, Inc.
>
>
>
>

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to