On 18/01/2016 08:06, Martin Kosek wrote:
I am hoping that this is well explained here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-examples.html#install-ca-options
Some useful notes are also Dmitri Pal's blog post:
http://rhelblog.redhat.com/2015/06/02/identity-management-and-certificates/
Thanks for the docs.
I'm trying to get my head around this... if I have a working CA-ful
FreeIPA setup and then install 3rd party SSL certificates for HTTP/LDAP
only (including 3 root CA certs from the chain) - does this replace
original self-signed CA that FreeIPA generated (and becomes External CA
install) or does CA stay untouched and I can still take advantage of all
the goodies that come with CA-ful install like automatic certificates
renewals (apart from HTTP/LDAP ones)?
Or does this became a multi CA install?
BTW, I can see that the root certificates are getting added to
/etc/ipa/ca.crt.
I'm also thinking ahead, when it comes to renewing certificates when they
expire in 1 year time, which install type would cause less problems?
In CA-ful installation, client certificates or FreeIPA CA subsystem
certificates should just renew automatically. In CA-less, you need to take care
to renew them manually with your 3rd party certificate provider.
So in my CA-ful install with 3rd party SSL certificate installed, how
would the renewal look?
I understand that I would have to install new HTTP/LDAP certificates
manually as they were signed by external CA, but would all certificates
issued by FreeIPA CA still renew automatically?
I've failed to find any useful info covering the above points, so if you know
anything, please just let me know.
I think the important point is that even if you choose to install with CA-less
for now, you can switch to CA-ful later via ipa-ca-install:
http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion
Thank you, your help is much appreciated!
--
Kind regards,
Peter Pakos
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
