On 22/09/15 17:02, James Masson wrote:


we're building IPAs in an automated fashion, for environments that get
created and destroyed a lot. At the moment, the CA certs used inside
these IPAs are self-signed, as part of the normal "ipa-server-install"
setup process.

We would like to switch to issuing signed intermediate CA certs to the
IPAs we deploy.

The documentation lists the two part process necessary for this. First
"--external-ca" - and then "--external-cert-file"

Are there any ways to skip this, and give the setup process a known
public/private key+cert up front? I'm hoping to avoid the need to have
to use/send this automatically generated CSR every time.


James M

Hello James,
currently it's not possible but making installation with externally signed CA single step sounds really useful to me. Currently certmonger is generating the CSR for FreeIPA server in the first step of installation. Certmonger is also able to send certificate to external CA for signing.

I'm not sure if we could combine these two cermonger's abilities right now but if not it shouldn't be difficult to add functionality to certmonger to send the CSR to preconfigured CA instead of just storing it in file.

This would of course require configuring the certmonger with information about the CA before FreeIPA server installation but it's just one command (getcert-add-ca).

Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)?

David Kupka

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to