Not sure if I should start a new thread for this, but... I am now trying to follow the instructions given in this thread: https://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html. I think this configuration should work well with our deployment strategy.
I feel like I am following the steps exactly but always end up with "full certificate chain is not present in /etc/ipa/pki/example.org.p12² during ipa-server-install. Have others followed this process more recently? I am wondering if there might have been any changes so that these steps no longer work, or possibly there is an easier way to do this now. I am running version: ipa-server-4.1.0-18.el7.centos.4.x86_64. On 11/1/15, 10:40 PM, "Fraser Tweedale" <ftwee...@redhat.com> wrote: >On Mon, Nov 02, 2015 at 01:29:48AM +0000, Sean Conley - US wrote: >> Hello, >> >> I am new to FreeIPA and am attempting to stand up my first >> operational instance. We do have a commercial wildcard >> certificate (*.internal.example.org) that should cover the IPA >> server itself (ipa.internal.example.org). I used the -external-CA >> option when running the setup and so a CSR was generated. Since >> we have a wildcard cert, I wasn't sure if I really need to submit >> the CSR to our PKI vendor. At the same time, it's not clear to me >> through searching documents how I would extend the CA chain. Do I >> need to submit that CSR or is there a way for me to do this on my >> own? >> >Welcome to FreeIPA :) > >If you have a relationship with a Certificate Authority willing to >sign an intermediate CA certificate for you, then you can use the >--external-ca option, submit the generate CSR to your CA and once >you receive your signed CA certificate, continue ipa-server-install. > >For a publicly-trusted intermediate CA cert, you are probably >looking at $10,000s or $100,000s in fees, infrastructure and >compliance costs to achieve this. Public CAs much prefer to keep >you coming back to them for publicly trusted certificates :) > >If you already have some internal CA for your organisation, you can >use it to sign the CSR. > >Otherwise, you can install FreeIPA with its own root CA (this is the >default). > >HTH, >Fraser > >> Any assistance is much appreciated. >> >> Sean >> > >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project