It's a little bit more clear. Thanks. I have created a new ipa 4.1 replica but when I want run :
# ipa-cacert-manage renew --self-signed I've got this message : [root@ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed CA is not configured on this system If I want to install the CA I've got this message : [root@ipa-devel-centos7 system]# ipa-ca-install --password=mypassorwd -U CA is already installed. Should I have to promote the replica to a standalone master before installing the CA ? Any hints will be appreciated... James 2015-04-08 7:27 GMT+02:00 Jan Cholasta <[email protected]>: > Dne 7.4.2015 v 15:31 Martin Kosek napsal(a): > >> On 04/07/2015 02:08 PM, James James wrote: >> >>> I will try to give a better explanation : >>> >>> >>> I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been >>> installed with an external CA about 3 years ago and I will have to renew >>> the certificate soon. >>> >>> I have created a test server (ipa-dev) with the same configuration >>> (centos >>> 6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev >>> sever >>> to be installed with an external CA. >>> >>> In the same time my external CA has changed and wants the emailAddress >>> field in the certificate request 's subject. >>> >> >> CSR during installation with external CA is produced by Dogtag, so you are >> constrained with the options and capabilities provided by >> ipa-server-install. >> Maybe it would be possible to modify the CSR and update the Subject >> manually, >> but I expect it would crash the installer later (JanC may know more >> (CCed)) >> > > The subject name identifies the CA in server (and other) certificates. If > you change it, you break the trust chain from the CA certificate to the > server certificates and that will break all SSL in IPA. > > >> If it is not possible to add emailAddress in the subject, is it possible >>> to >>> migrate my ipa-master CA system from an external CA to a CA-less or >>> self-signed CA ? >>> >> >> It is, with ipa-cacert-manage - see links below. >> > > You can change your external CA to self-signed CA in IPA 4.1 or newer by > running: > > # ipa-cacert-manage renew --self-signed > > You can't change external CA to CA-less. > > > >> Thanks. >>> >>> 2015-04-07 13:48 GMT+02:00 Martin Kosek <[email protected]>: >>> >>> On 04/07/2015 01:44 PM, James James wrote: >>>> >>>>> ok. >>>>> >>>>> Is there a way to migrate from an external CA to a CA-less or a >>>>> >>>> self-signed >>>> >>>>> CA ? >>>>> >>>> >>>> Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0: >>>> >>>> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal >>>> https://www.freeipa.org/page/V4/CA_certificate_renewal >>>> >>>> (Although I am still not sure about your use case and if this would help >>>> you) >>>> >>>> >>>>> 2015-04-07 12:51 GMT+02:00 Martin Kosek <[email protected]>: >>>>> >>>>> On 04/03/2015 11:39 AM, James James wrote: >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> I want to initialize a new replica with an external CA. My >>>>>>> Certificate >>>>>>> Authority wants a CSR with the field emailAddress in the subject >>>>>>> like : >>>>>>> >>>>>>> /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/[email protected] >>>>>>> >>>>>> >>>>>> I am not a bit confused. Do you plan to have FreeIPA *without* a CA or >>>>>> with own >>>>>> CA signed by external CA? >>>>>> >>>>>> FreeIPA supports these kinds of setups right now: >>>>>> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure >>>>>> >>>>>> How can I do with the ipa-server-install command ? I have been >>>>>>> trying >>>>>>> >>>>>> for >>>>>> >>>>>>> few days but I still can't. >>>>>>> >>>>>>> Thanks for your help. >>>>>>> >>>>>> >>>>>> CCing Honza who should know the definitive answer. However, FreeIPA >>>>>> was >>>>>> >>>>> not >>>> >>>>> very flexible in configuring special subjects for it's CA certificate >>>>>> >>>>> (i.e. >>>> >>>>> cn=Certificate Authority, ou=...) or hosts in case of CA-less setup. >>>>>> >>>>>> >>>>> >>>> >>>> >>> >> > > -- > Jan Cholasta >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
