On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wort...@damascusgrp.com wrote:
> Sorry, let me back up a step. We need to implement hype
> everywhere. All our web services. And clients need to get
> keys&certs automatically whether through IPA or Puppet. These
> systems use IPA for everything but authentication (to keep most
> users off). I'm trying to wuss out the easiest way to make this
> happen smoothly.
> 
Hi Bret,

You can use the IPA CA to sign service certificates.  See
http://www.freeipa.org/page/Certmonger#Request_a_new_certificate.

IPA-enrolled machines already have the IPA certificate in their
trust store.  If the clients are IPA-enrolled, everything should
Just Work, otherwise you can distribute the IPA CA certificate to
clients via Puppet** or whatever means you prefer.

** you will have to work out how, because I do not know Puppet :)

Cheers,
Fraser

> 
> 
> On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden<rcrit...@redhat.com>, wrote:
> > Bret Wortman wrote:
> > > Is it possible to use our freeipa CA as a trusted CA to sign our
> > > internal SSL certificates? Our system runs on a private network and so
> > > using the usual trusted sources isn't an option. We've been using
> > > self-signed, but that adds some additional complications and we thought
> > > this might be a good solution.
> > > 
> > > Is it possible, and, since most online guides defer to "submit the CSR
> > > to Verisign" or whomever, how would you go about producing one in this 
> > > way?
> > 
> > Not sure I understand the question. The IPA CA is also self-signed. For
> > enrolled systems though at least the CA is pre-distributed so maybe that
> > will help.
> > 
> > rob
> > 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to