Dne 7.4.2015 v 15:31 Martin Kosek napsal(a):
On 04/07/2015 02:08 PM, James James wrote:
I will try to give a better explanation :

I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been
installed with an external CA about 3 years ago and I will have to renew
the certificate soon.

  I have created a test server (ipa-dev) with the same configuration (centos
6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev sever
to be installed with an external CA.

In the same time my external CA has changed and wants the emailAddress
field in the certificate request 's subject.

CSR during installation with external CA is produced by Dogtag, so you are
constrained with the options and capabilities provided by ipa-server-install.
Maybe it would be possible to modify the CSR and update the Subject manually,
but I expect it would crash the installer later (JanC may know more (CCed))

The subject name identifies the CA in server (and other) certificates. If you change it, you break the trust chain from the CA certificate to the server certificates and that will break all SSL in IPA.

If it is not possible to add emailAddress in the subject, is it possible to
migrate my ipa-master CA system from an external CA to a CA-less or
self-signed CA ?

It is, with ipa-cacert-manage - see links below.

You can change your external CA to self-signed CA in IPA 4.1 or newer by running:

    # ipa-cacert-manage renew --self-signed

You can't change external CA to CA-less.


2015-04-07 13:48 GMT+02:00 Martin Kosek <mko...@redhat.com>:

On 04/07/2015 01:44 PM, James James wrote:

Is there a way to migrate from an external CA to a CA-less or a
CA  ?

Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0:


(Although I am still not sure about your use case and if this would help

2015-04-07 12:51 GMT+02:00 Martin Kosek <mko...@redhat.com>:

On 04/03/2015 11:39 AM, James James wrote:

I want to initialize a new replica with an external CA. My Certificate
Authority wants a CSR with the field emailAddress in the subject like :


I am not a bit confused. Do you plan to have FreeIPA *without* a CA or
with own
CA signed by external CA?

FreeIPA supports these kinds of setups right now:

  How can I do with the ipa-server-install command ?  I have been trying
few days but I still can't.

Thanks for your help.

CCing Honza who should know the definitive answer. However, FreeIPA was
very flexible in configuring special subjects for it's CA certificate
cn=Certificate Authority, ou=...) or hosts in case of CA-less setup.

Jan Cholasta

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to