On 04/07/2015 01:44 PM, James James wrote: > ok. > > Is there a way to migrate from an external CA to a CA-less or a self-signed > CA ?
Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal https://www.freeipa.org/page/V4/CA_certificate_renewal (Although I am still not sure about your use case and if this would help you) > > 2015-04-07 12:51 GMT+02:00 Martin Kosek <mko...@redhat.com>: > >> On 04/03/2015 11:39 AM, James James wrote: >>> Hello, >>> >>> I want to initialize a new replica with an external CA. My Certificate >>> Authority wants a CSR with the field emailAddress in the subject like : >>> >>> /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=n...@none.com >> >> I am not a bit confused. Do you plan to have FreeIPA *without* a CA or >> with own >> CA signed by external CA? >> >> FreeIPA supports these kinds of setups right now: >> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure >> >>> How can I do with the ipa-server-install command ? I have been trying >> for >>> few days but I still can't. >>> >>> Thanks for your help. >> >> CCing Honza who should know the definitive answer. However, FreeIPA was not >> very flexible in configuring special subjects for it's CA certificate (i.e. >> cn=Certificate Authority, ou=...) or hosts in case of CA-less setup. >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project