Thanks for the quick response Florence! My goal is the use a 3rd party certificate(such as Verisign cert) for Web UI(company security requirement), in fact we are not required to use 3rd party certificate for the LDAP server, but as I mentioned earlier, I couldn't make the new Verisign cert to work with the Web UI, without messing up the IPA function(after I updated the nss.conf to use the new cert in the /etc/httpd/alias db, the ipa_client_install failed). So I tried to follow the Redhat instruction, to see if I can get the Verisign cert installed at the most beginning, without using FreeIPA's own/default certificate), but I got the CSR question.
I did install IPA without a CA, by following the instruction at https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP, but failed to restart HTTPD. When and how can I provide the 3rd-party certificate? Could you please point me a document about the detail? Thanks again! On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud <f...@redhat.com> wrote: > Hi, > > The instructions that you followed are used when you want to install > FreeIPA with an embedded Certificate Authority (ie FreeIPA is able to issue > certificates), and FreeIPA CA is signed by a 3rd party CA. > > Maybe your goal is just to use a 3rd party certificate for IPA's LDAP > server and Web UI. In this case, you do not need to install FreeIPA with an > embedded CA. You can follow the instructions for Installing without a CA > , where you will need to provide a 3rd-part certificate. > > Hope this clarifies, > Flo. > >  https://access.redhat.com/documentation/en-US/Red_Hat_Enterp > rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ > Policy_Guide/install-server.html#install-server-without-ca > > > > On 09/29/2016 11:03 AM, beeth beeth wrote: > >> I am trying to set up IPA servers with Verisign certificate, so that the >> Admin Web console can use public signed certificate to meet company's >> security requirement. But when I try to follow Red Hat's instructions at >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp >> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ >> Policy_Guide/install-server.html#install-server-external-ca, >> >> 2.3.5. Installing a Server with an External CA as the Root CA, >> at the first step it says to generate CSR by adding the --external-ca >> option to the ipa-server-install utility, which does generate a CRS at >> /root/ipa.csr. However, the ipa-server-install command in fact doesn't >> ask for Distinguished Name (DN) or the organization info(like country, >> state, etc.), which are required in the CSR. Without a valid CSR file, I >> can't request for new Verisign certs. Did I miss something? >> >> Originally I once tried to change the default certificate for Apache(the >> Web Admin console) ONLY to the Verisign one, by adding the certificates >> to the /etc/httpd/alias database with the command: >> # ipa-server-certinstall -w --http_pin=test verisign.pk12 >> And updated the nss.conf for httpd, so that the new Nickname is used to >> point to the Verisign certs. That worked well for the website. However, >> the IPA client installation failed after that for the >> "ipa-client-install": >> >> ERROR Joining realm failed: libcurl failed to execute the HTTP POST >> transaction, explaining: Peer's certificate issuer has been marked as >> not trusted by the user. >> >> Even I tried to also update the certificate for the Directory >> service(ipa-server-certinstall -d ... ), the client installation still >> failed. I believe the new Verisign cert messed up the communication of >> the IPA components. Then I am thinking to install the IPA server from >> scratch with the Verisign cert, but then I hit the CSR problem described >> above. >> >> Please advise. Thanks! >> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project