On 05/14/2015 10:15 AM, David Little wrote:
Hi there,
I was reading this document regarding using 3rd party certificates in
FreeIPA:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
Which includes the information "The certificate in mysite.crt must be
signed by the CA used when installing FreeIPA."
Also this thread:
http://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html
Which says at the end " I'm wondering if it's because of this from the
doc "The certificate in mysite.crt must be signed by the CA used when
installing FreeIPA." but it might not either...
In this case you should get a "file.p12 is not signed by
/etc/ipa/ca.crt, or the full certificate chain is not
present in the PKCS#12 file" error in ipa-server-certinstall."
This brings me to my question... If I have an existing multi-server
FreeIPA setup with multiple IPA client installations, using a
self-signed CA certificate for /etc/ipa/ca.crt, would I need to start
over the FreeIPA installation from scratch using the public root CA,
which signed the wildcard certificate?
Thanks,
Dave
Did you get an answer?
If not starting 4.1 IPA has a tool that can change the chaining and also
convert from CA-less to CA-full. I am not sure it can do the reverse so
you might in fact have to start over.
http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project