Hello all! We're looking at replacing a lot of our currently self-signed internal SSL certificates in our infrastructure with certificates generated by the FreeIPA CA. However, I've run into something that I haven't been able to find documented as of yet, and I'm hoping some of you can point me in the right direction. Some of our internal SSL sites are load-balanced between multiple hosts, so we end up with the same SSL/Key installed to each host. For example:
hostname.domain.com is hosted on hostA and hostB. Both hostA and hostB have the certs at /etc/httpd/certs/ hostname.domain.com/hostname.crt, and the private key at /etc/httpd/certs/ hostname.domain.com/hostname.key I would expect I can have both hostA and hostB be able to work with the FreeIPA certificates by adding additional ipa host-add-managedby and ipa service-add-host commands, to specify both hostA and hostB. However, from my understanding, running the "ipa-getcert request" command on hostA will put the certs on hostA only, and I'd need the same certs on both hostA and hostB. Is there a special ipa-getcert incantation that can retrieve the already-issued certificate files, and allow them to be managed by FreeIPA on both hosts? Or is there another recommended way of doing this? Thanks for any info you can give me! Jeremy Utley
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
