On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wort...@damascusgrp.com wrote:
> Sorry, let me back up a step. We need to implement hype
> everywhere. All our web services. And clients need to get
> keys&certs automatically whether through IPA or Puppet. These
> systems use IPA for everything but authentication (to keep most
> users off). I'm trying to wuss out the easiest way to make this
> happen smoothly.
You can use the IPA CA to sign service certificates. See
IPA-enrolled machines already have the IPA certificate in their
trust store. If the clients are IPA-enrolled, everything should
Just Work, otherwise you can distribute the IPA CA certificate to
clients via Puppet** or whatever means you prefer.
** you will have to work out how, because I do not know Puppet :)
> On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden<rcrit...@redhat.com>, wrote:
> > Bret Wortman wrote:
> > > Is it possible to use our freeipa CA as a trusted CA to sign our
> > > internal SSL certificates? Our system runs on a private network and so
> > > using the usual trusted sources isn't an option. We've been using
> > > self-signed, but that adds some additional complications and we thought
> > > this might be a good solution.
> > >
> > > Is it possible, and, since most online guides defer to "submit the CSR
> > > to Verisign" or whomever, how would you go about producing one in this
> > > way?
> > Not sure I understand the question. The IPA CA is also self-signed. For
> > enrolled systems though at least the CA is pre-distributed so maybe that
> > will help.
> > rob
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project