Not sure if I should start a new thread for this, but...

I am now trying to follow the instructions given in this thread: I
think this configuration should work well with our deployment strategy.

I feel like I am following the steps exactly but always end up with "full
certificate chain is not present in /etc/ipa/pki/² during
ipa-server-install.  Have others followed this process more recently?  I
am wondering if there might have been any changes so that these steps no
longer work, or possibly there is an easier way to do this now.

I am running version: ipa-server-4.1.0-18.el7.centos.4.x86_64.

On 11/1/15, 10:40 PM, "Fraser Tweedale" <> wrote:

>On Mon, Nov 02, 2015 at 01:29:48AM +0000, Sean Conley - US wrote:
>> Hello,
>> I am new to FreeIPA and am attempting to stand up my first
>> operational instance.  We do have a commercial wildcard
>> certificate (* that should cover the IPA
>> server itself (  I used the -external-CA
>> option when running the setup and so a CSR was generated.  Since
>> we have a wildcard cert, I wasn't sure if I really need to submit
>> the CSR to our PKI vendor.  At the same time, it's not clear to me
>> through searching documents how I would extend the CA chain.  Do I
>> need to submit that CSR or is there a way for me to do this on my
>> own?
>Welcome to FreeIPA :)
>If you have a relationship with a Certificate Authority willing to
>sign an intermediate CA certificate for you, then you can use the
>--external-ca option, submit the generate CSR to your CA and once
>you receive your signed CA certificate, continue ipa-server-install.
>For a publicly-trusted intermediate CA cert, you are probably
>looking at $10,000s or $100,000s in fees, infrastructure and
>compliance costs to achieve this.  Public CAs much prefer to keep
>you coming back to them for publicly trusted certificates :)
>If you already have some internal CA for your organisation, you can
>use it to sign the CSR.
>Otherwise, you can install FreeIPA with its own root CA (this is the
>> Any assistance is much appreciated.
>> Sean
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> Go to for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to