On Wed, Jul 1, 2015 at 9:16 PM, Prashant Bapat <prash...@apigee.com> wrote:

> I had the exact same requirement. Since we're on AWS, I ended up putting a
> ELB in front of each of my IPA servers with a commercial cert for web UI.
> The communication between ELB and the IPA server is using the IPA CA cert.
>
> On 2 July 2015 at 07:03, Rob Crittenden <rcrit...@redhat.com> wrote:
>
>> Stephen Ingram wrote:
>>
>>> I setup IPA using the internal CA. I'd like to continue using this CA,
>>> however, I'd also like to allow authorized external browser users (who
>>> haven't imported our CA) to access the WebUI without receiving a
>>> warning. Is it possible to add a 3rd party certificate and CA such that
>>> it is only used for the WebUI using the instructions at
>>> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP?
>>>
>>> Steve
>>>
>>>
>>>
>> In a word: yes.
>>
>> I'd recommend making a backup of /etc/httpd/alias and
>> /etc/httpd/conf.d/nss.conf  before doing this to make rolling back, if
>> necessary, easier.
>>
>
Just a follow-up to this. I did end up adding the cert to the WebUI only.
However, I was too scared to use the ipa-server-certinstall command,
especially since I'm on 3.0 still, and really wasn't too sure what it was
going to do. Instead, like Rob suggested (and this certainly was necessary)
I backed up /etc/httpd/alias before I started. I then proceeded to do a
cert request from the same NSS db that contains the IPA certs. I then
inserted the signed cert using the certutil tool. I also inserted the CA
cert from the 3rd party that actually signed the cert. Then a quick edit to
nss.conf to change the governing certificate, a restart and I was good to
go. No problems so far. I think the tools like sssd and ipa-client use the
directory server and the kerberos db more than they would use the web
service, so hopefully no problems down the line. Hope this is of some help
to others who might want to do this.

Steve
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to