How smooth is the renewal process ? if the webui cert expires, does it
affect the core ipa functionality in any way ? Also, when ipa does it's own
auto-renewal, does it leave the webui alone if set up this way ?

On Wed, Jul 1, 2015 at 9:16 PM, Prashant Bapat <prash...@apigee.com> wrote:

> I had the exact same requirement. Since we're on AWS, I ended up putting a
> ELB in front of each of my IPA servers with a commercial cert for web UI.
> The communication between ELB and the IPA server is using the IPA CA cert.
>
> On 2 July 2015 at 07:03, Rob Crittenden <rcrit...@redhat.com> wrote:
>
>> Stephen Ingram wrote:
>>
>>> I setup IPA using the internal CA. I'd like to continue using this CA,
>>> however, I'd also like to allow authorized external browser users (who
>>> haven't imported our CA) to access the WebUI without receiving a
>>> warning. Is it possible to add a 3rd party certificate and CA such that
>>> it is only used for the WebUI using the instructions at
>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP?
>>>
>>> Steve
>>>
>>>
>>>
>> In a word: yes.
>>
>> I'd recommend making a backup of /etc/httpd/alias and
>> /etc/httpd/conf.d/nss.conf  before doing this to make rolling back, if
>> necessary, easier.
>>
>> rob
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to