I personally haven't done this, but from https://www.freeipa.org/page/PKI
"when --external-ca option is used, ipa-server-install produces a
certificate certificate request for it's CA certificate so that it can be
properly chained in existing PKI infrastructure."
"First run ipa-server-install with --external-ca, which will create a CSR
for IPA CA certificate in /root/ipa.csr. Then sign the CSR with the
external CA to get the IPA CA certificate. Finally, run ipa-server-install
with --external_cert_file pointing to the IPA CA certificate and
--external_ca_file pointing to CA certificate of the external CA."
>From that previous paragraph, it looks like the --external-ca option
doesn't actually install anything, just creates the correct CSR for the
domain you intend to create.
If you can create a temporary CentOS virtual machine you could run the
"ipa-server-install --external-ca" command and see what happens :)
Hope this helps,
On Wed, Jul 27, 2016 at 11:24 PM, William Muriithi <
> I want to use an external certificate when setting up a new FreeIPA
> next week and plan to send the CSR tomorrow.
> I would like to source a certificate for example.com and use it on
> FreeIPA on eng.example.com. I can't specifically set the FreeIPA on
> example.com because we have active directory on corp.example.com
> Is there a way for using FreeIPA with such a setup? I am hoping that
> if I can setup FreeIPA using example.com, I can be able to generate
> certificates for both Windows and Linux plus other like
> vpn.example.com that don't sit well on either AD or FreeIPA domain.
> Whats the best way to approach this? If not possible, would setting
> FreeIPA as a sub domain for active directory help?
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project