On 03/13/2015 01:47 PM, Johnny Tan wrote:
On Wed, Mar 4, 2015 at 5:56 PM, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>>wrote:

    IPA does not use certs for communication between the instances. It
    uses Kerberos. I am not sure the DoDaddy cert you added is even
    used in some way by IPA.


Dmitri or Rob:

Could you explain what the various uses of the IPA certs are, then? AFAICT, the IPA masters generate a certificate for each node in the realm. Why does it do that? I thought it was for:
- Webui/api (apache) communication over https.
- LDAP binding/communication over 636 (TLS).

Rob would definitely know more but IPA mostly provides certs for the infra it serves and has a limited use of the certs by itself.
So here is where I know it is used:
- You can issue certs for hosts and services and installer used to create certs for host automatically though these certs are not used for anything and we decided not to create them automatically any more. - You need to trust IPA in browser so that you can do a forms based authentication if you do not have a kerberos ticket. - To issue certs we use Dogtag and Dogtag understands only cert based authentication so internally the communication between the managment framework and Dogtag uses SSL. This is actually why the host-del fails. The host had a cert issued by IPA CA so as part of the del operation it tries to revoke the cert but since you reconfigured the sustem to use be CA less it can't and fails.

The communication between the LDAP servers is Kerberos authenticated.


But if the certs are not utilized for communication between the instances (per statement above), what are they used for?

I'm not hijacking the thread, I'm actually in the exact same position as OP. I replaced the self-signed IPA/dogtag CA root with one that was signed by our own CA and am now having problems with various cert errors during client enrollment or any other similar activity (like doing an 'ipa host-del' directly on an IPA master).

We have a special tool in Freeipa 4.2 to do this. The manual procedure is cumbersome and leads to issues like this.


I can post those details in a separate thread, but before I go down that path, I want to better understand what the purpose of the certs are so I can deterine what's the best path forward for us.

As I understand it from the docs, there are three primary ways to run IPA with respect to a CA:
- self-signed IPA CA, this is the default
- signing the IPA CA root with an "external"/3rd-party CA
- running "CA-less" and providing all certs with the external/3rd-party CA (depending on what the use/purpose of the certs are, this is increasingly becoming an attractive option but is likely also tedious in its own right)


You are correct here.

Thanks for any insight.

On Wed, Mar 4, 2015 at 5:56 PM, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>> wrote:

    On 03/04/2015 04:32 PM, sipazzo wrote:
    Good afternoon, we have a freeipa 3.0.42 installation running on
    redhead 6.6 with a mix of rhel 5, rhel6 and Solaris clients. It
    was originally configured with the built in dogtag certificate CA
    and then one of my co-workers added our GoDaddy certificate to
    the certificate bundle. My understanding is this cert is used for
    communication between the ipa servers as well as the clients are
    also configured to trust the GoDaddy certificate. We recently had
    to get a new GoDaddy cert so our old one is revoked. I need to
    figure out how to either replace the existing revoked cert with
    the new one or add the new one to the bundle and then remove the
    revoked certificate so as not to break anything.

    Any help is appreciated. I am not strong with certificates so the
    more detail you can give the better.
    Thank you.


    You say it was running with the self signed IPA CA and than
    GoDaddy cert was added to the bundle. How was it added?
    IPA does not use certs for communication between the instances. It
    uses Kerberos. I am not sure the DoDaddy cert you added is even
    used in some way by IPA.
    It seems that your GoDaddy cert is an orthogonal trust so if you
    replaced the main key pair then you just need to distribute your
    new GoDaddy cert to the clients as you did on the first place.


-- Thank you,
    Dmitri Pal

    Sr. Engineering Manager IdM portfolio
    Red Hat, Inc.


    --
    Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    Go To http://freeipa.org for more info on the project






--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to