Cool. I'll give this a go in the morning. Bret Wortman http://wrapbuddies.co/
On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale<[email protected]>, wrote: > On Thu, Jun 02, 2016 at 05:35:01PM -0400, [email protected] wrote: > > Sorry, let me back up a step. We need to implement hype > > everywhere. All our web services. And clients need to get > > keys&certs automatically whether through IPA or Puppet. These > > systems use IPA for everything but authentication (to keep most > > users off). I'm trying to wuss out the easiest way to make this > > happen smoothly. > > > Hi Bret, > > You can use the IPA CA to sign service certificates. See > http://www.freeipa.org/page/Certmonger#Request_a_new_certificate. > > IPA-enrolled machines already have the IPA certificate in their > trust store. If the clients are IPA-enrolled, everything should > Just Work, otherwise you can distribute the IPA CA certificate to > clients via Puppet** or whatever means you prefer. > > ** you will have to work out how, because I do not know Puppet :) > > Cheers, > Fraser > > > > > > > On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden<[email protected]>, wrote: > > > Bret Wortman wrote: > > > > Is it possible to use our freeipa CA as a trusted CA to sign our > > > > internal SSL certificates? Our system runs on a private network and so > > > > using the usual trusted sources isn't an option. We've been using > > > > self-signed, but that adds some additional complications and we thought > > > > this might be a good solution. > > > > > > > > Is it possible, and, since most online guides defer to "submit the CSR > > > > to Verisign" or whomever, how would you go about producing one in this > > > > way? > > > > > > Not sure I understand the question. The IPA CA is also self-signed. For > > > enrolled systems though at least the CA is pre-distributed so maybe that > > > will help. > > > > > > rob > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
