On 18/01/2016 08:06, Martin Kosek wrote:
I am hoping that this is well explained here:


Some useful notes are also Dmitri Pal's blog post:

Thanks for the docs.

I'm trying to get my head around this... if I have a working CA-ful FreeIPA setup and then install 3rd party SSL certificates for HTTP/LDAP only (including 3 root CA certs from the chain) - does this replace original self-signed CA that FreeIPA generated (and becomes External CA install) or does CA stay untouched and I can still take advantage of all the goodies that come with CA-ful install like automatic certificates renewals (apart from HTTP/LDAP ones)?

Or does this became a multi CA install?

BTW, I can see that the root certificates are getting added to /etc/ipa/ca.crt.

I'm also thinking ahead, when it comes to renewing certificates when they
expire in 1 year time, which install type would cause less problems?

In CA-ful installation, client certificates or FreeIPA CA subsystem
certificates should just renew automatically. In CA-less, you need to take care
to renew them manually with your 3rd party certificate provider.

So in my CA-ful install with 3rd party SSL certificate installed, how would the renewal look?

I understand that I would have to install new HTTP/LDAP certificates manually as they were signed by external CA, but would all certificates issued by FreeIPA CA still renew automatically?

I've failed to find any useful info covering the above points, so if you know
anything, please just let me know.

I think the important point is that even if you choose to install with CA-less
for now, you can switch to CA-ful later via ipa-ca-install:


Thank you, your help is much appreciated!

Kind regards,
 Peter Pakos

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to