On 23/09/15 11:03, Fraser Tweedale wrote:
On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote:
On 22/09/15 17:02, James Masson wrote:

Hi,

we're building IPAs in an automated fashion, for environments that get
created and destroyed a lot. At the moment, the CA certs used inside
these IPAs are self-signed, as part of the normal "ipa-server-install"
setup process.

We would like to switch to issuing signed intermediate CA certs to the
IPAs we deploy.

The documentation lists the two part process necessary for this. First
"--external-ca" - and then "--external-cert-file"

Are there any ways to skip this, and give the setup process a known
public/private key+cert up front? I'm hoping to avoid the need to have
to use/send this automatically generated CSR every time.

thanks

James M


Hello James,
currently it's not possible but making installation with externally signed
CA single step sounds really useful to me.
Currently certmonger is generating the CSR for FreeIPA server in the first
step of installation. Certmonger is also able to send certificate to
external CA for signing.

I'm not sure if we could combine these two cermonger's abilities right now
but if not it shouldn't be difficult to add functionality to certmonger to
send the CSR to preconfigured CA instead of just storing it in file.

This would of course require configuring the certmonger with information
about the CA before FreeIPA server installation but it's just one command
(getcert-add-ca).

Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)?

There are two sides to this - one is using Certmonger for automatic
signing of intermediate CA certificate to be used by IPA, the other
is simply using a CA cert that the administrator already possesses,
e.g. in a PKCS #12 file.  These should be separate tickets.

Cheers,
Fraser

--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Done -

https://fedorahosted.org/freeipa/ticket/5317
https://fedorahosted.org/freeipa/ticket/5318

Would it be possible to use Certmonger to help the 2 step process used at the moment?

ie. run 'ipa-server-install' the first time - get the CSR
use local Certmonger to handle the CSR submission to upstream CA
use the resulting Cert in the second 'ipa-server-install'

Any pointers?

regards

James M





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to