On 22/09/15 17:02, James Masson wrote:
we're building IPAs in an automated fashion, for environments that get
created and destroyed a lot. At the moment, the CA certs used inside
these IPAs are self-signed, as part of the normal "ipa-server-install"
We would like to switch to issuing signed intermediate CA certs to the
IPAs we deploy.
The documentation lists the two part process necessary for this. First
"--external-ca" - and then "--external-cert-file"
Are there any ways to skip this, and give the setup process a known
public/private key+cert up front? I'm hoping to avoid the need to have
to use/send this automatically generated CSR every time.
currently it's not possible but making installation with externally
signed CA single step sounds really useful to me.
Currently certmonger is generating the CSR for FreeIPA server in the
first step of installation. Certmonger is also able to send certificate
to external CA for signing.
I'm not sure if we could combine these two cermonger's abilities right
now but if not it shouldn't be difficult to add functionality to
certmonger to send the CSR to preconfigured CA instead of just storing
it in file.
This would of course require configuring the certmonger with information
about the CA before FreeIPA server installation but it's just one
Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project