On Thu, Jun 02, 2016 at 05:35:01PM -0400, [email protected] wrote: > Sorry, let me back up a step. We need to implement hype > everywhere. All our web services. And clients need to get > keys&certs automatically whether through IPA or Puppet. These > systems use IPA for everything but authentication (to keep most > users off). I'm trying to wuss out the easiest way to make this > happen smoothly. > Hi Bret,
You can use the IPA CA to sign service certificates. See http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. IPA-enrolled machines already have the IPA certificate in their trust store. If the clients are IPA-enrolled, everything should Just Work, otherwise you can distribute the IPA CA certificate to clients via Puppet** or whatever means you prefer. ** you will have to work out how, because I do not know Puppet :) Cheers, Fraser > > > On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden<[email protected]>, wrote: > > Bret Wortman wrote: > > > Is it possible to use our freeipa CA as a trusted CA to sign our > > > internal SSL certificates? Our system runs on a private network and so > > > using the usual trusted sources isn't an option. We've been using > > > self-signed, but that adds some additional complications and we thought > > > this might be a good solution. > > > > > > Is it possible, and, since most online guides defer to "submit the CSR > > > to Verisign" or whomever, how would you go about producing one in this > > > way? > > > > Not sure I understand the question. The IPA CA is also self-signed. For > > enrolled systems though at least the CA is pre-distributed so maybe that > > will help. > > > > rob > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
