Hi Florence, I previously tried option a) and failed(need to find out why later), but I was able to successfully reinstall the server and the client with option b), thanks a lot! So when it says "Installing Without a CA", it means without a "embeded CA"(the IPA's own CA), is that right?
Another main problem comes up for option b): now I am going to install the replica server(ipa2), if I do the same as I did before: [root@ipa1 ~]# ipa-replica-prepare ipa2.example.com copy the gpg file from ipa1 to ipa2 [root@ipa2 ~]# ipa-replica-install /var/lib/ipa/replica-info-ipa2.example.com.gpg Then I believe the Apache on ipa2(the replica server) will use the Verisign certificate with the same hostname(DN): ipa1.example.com, NOT ipa2.example.com, hence the users who visit https://ipa2.example.com will experience security warning from the browser, as expected... What could be a solution for this? Thanks again! On Thu, Sep 29, 2016 at 6:03 AM, Florence Blanc-Renaud <f...@redhat.com> wrote: > On 09/29/2016 11:43 AM, beeth beeth wrote: > >> Thanks for the quick response Florence! >> >> My goal is the use a 3rd party certificate(such as Verisign cert) for >> Web UI(company security requirement), in fact we are not required to use >> 3rd party certificate for the LDAP server, but as I mentioned earlier, I >> couldn't make the new Verisign cert to work with the Web UI, without >> messing up the IPA function(after I updated the nss.conf to use the new >> cert in the /etc/httpd/alias db, the ipa_client_install failed). So I >> tried to follow the Redhat instruction, to see if I can get the Verisign >> cert installed at the most beginning, without using FreeIPA's >> own/default certificate), but I got the CSR question. >> >> I did install IPA without a CA, by following the instruction at >> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP, >> but failed to restart HTTPD. When and how can I provide the 3rd-party >> certificate? Could you please point me a document about the detail? >> > Hi, > > you need first to clarify if you want FreeIPA to act as a CA or not. The > setup will depend on this choice. > > - option a) FreeIPA with an embedded CA: > you can install FreeIPA with a self-signed CA, then follow the > instructions at https://www.freeipa.org/page/U > sing_3rd_part_certificates_for_HTTP/LDAP in order to replace the WebUI > certificate. Please note that there were some bugs in > ipa-server-certinstall, preventing httpd from starting (Ticket #4786 ). > The workaround is to manually update nss.conf (as you did) and manually > import the CA certificate into /etc/pki/pki-tomcat/alias, for instance with > $ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname -t C,, > > > - option b) Free IPA without CA > the installation instructions are in Installing without a CA . You will > provide the certificate that will be used by both the LDAP server and the > WebUI in the command options. > > HTH, > Flo. > >  https://fedorahosted.org/freeipa/ticket/4786 >  https://access.redhat.com/documentation/en-US/Red_Hat_Enterp > rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ > Policy_Guide/install-server.html#install-server-without-ca >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project