Sean Conley - US wrote: > Sorry for the redundancy but I thought it would be better to start a new > thread since I am really asking a different question at this point. > > We are trying to stand up an IPA instance using real certs (wildcard) > for our domain, so that external users get a valid cert when coming the > the https UI. I am trying to follow the steps given in this > thread: > https://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html. > It seems no matter what I do, I end up with: full certificate chain is > not present in /etc/ipa/pki/example.org.p12. Has this process been > documented more completely anywhere? Is this still a valid process? > > I know that there is now an external-ca option to ipa-server-install, > but I have questions about the CSR process from my CA and they are not > being very responsive. I have also been told that this option would > require a reseller arrangement potentially costing a lot of money we > dont want to be in the CA business we just want our external users to > be able to securely access IPA. > > Thanks again in advance for any assistance.
I think you misunderstand what the external-ca option does. This generates a CSR that you hand off to an external CA which issues a subordinate CA certificate. This isn't what you want AFAICT. Start reading here https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-ca-options.html and it sounds like this is the configuration you want: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-ca-options.html#install-ca-less rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project