On 18.1.2016 12:42, Martin Kosek wrote:
On 01/18/2016 12:05 PM, Peter Pakos wrote:
On 18/01/2016 08:06, Martin Kosek wrote:
I am hoping that this is well explained here:


Some useful notes are also Dmitri Pal's blog post:

Thanks for the docs.

I'm trying to get my head around this... if I have a working CA-ful FreeIPA
setup and then install 3rd party SSL certificates for HTTP/LDAP only (including
3 root CA certs from the chain) - does this replace original self-signed CA
that FreeIPA generated (and becomes External CA install) or does CA stay
untouched and I can still take advantage of all the goodies that come with
CA-ful install like automatic certificates renewals (apart from HTTP/LDAP ones)?

Or does this became a multi CA install?

BTW, I can see that the root certificates are getting added to /etc/ipa/ca.crt.

You should be still able to benefit from all the goodies the CA-ful FreeIPA
has. As you noticed above, all root CA certs should be added to ca.crt (see
help for ipa-certupdate tool), it is used to update certs on server/client and
add the new CA certificates.

I'm also thinking ahead, when it comes to renewing certificates when they
expire in 1 year time, which install type would cause less problems?

In CA-ful installation, client certificates or FreeIPA CA subsystem
certificates should just renew automatically. In CA-less, you need to take care
to renew them manually with your 3rd party certificate provider.

So in my CA-ful install with 3rd party SSL certificate installed, how would the
renewal look?

All certificates issued by FreeIPA CA should be renewed automatically by
certmonger (if configured). External certificates should needs to be renewed
manually. Honza, does certmonger already warns about non-IPA certificates that
are getting close to expiration date or is this rather an RFE for future?

It's an RFE, covered by my "certmonger everywhere" proposal: <https://www.redhat.com/archives/freeipa-devel/2015-December/msg00475.html> (the part about uniform certmonger configuration).

I understand that I would have to install new HTTP/LDAP certificates manually
as they were signed by external CA, but would all certificates issued by
FreeIPA CA still renew automatically?

They should, yes.

I've failed to find any useful info covering the above points, so if you know
anything, please just let me know.

I think the important point is that even if you choose to install with CA-less
for now, you can switch to CA-ful later via ipa-ca-install:


Thank you, your help is much appreciated!

Jan Cholasta

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to