First of all, thanks for the quick response Florence! I have question about your suggested step  and : For , "ipa-cacert-manage install cert.pem". Which certificate is this? Is it the ChainBundle cert(root cert + intermediate cert)? For , "ipa-server-certinstall -d /path/to/pkcs12.p12" . Which certificate is this pkcs12.p12? Is it the Server cert?
Here's exactly what I ran initially to install the IPA server with the Verisign certs, by following your suggestion last time(at the Admin manual 2.3.6. Installing Without a CA), and it worked well: # ipa-server-install --http-cert-file ServerCertificate.crt --http-cert-file ipaserver1.encrypted.key --http-pin MYipakey --dirsrv-cert-file ServerCertificate.crt --dirsrv-cert-file ipaserver1.encrypted.key --dirsrv-pin MYipakey --ca-cert-file ChainBundle2.crt So, basically the installation requested 3 items: the server key(ipaserver1.encrypted.key), the server certificate from Verisign(ServerCertificate.crt), and the "root+intermediate" certs from Verisign(ChainBundle2.crt). Now let's say such Verisign certificate expires, and I want to replace the certs from GoDaddy(another public cert provider), I assume a new set of certs, including the new key, the new server cert, and the new Chain cert(root+intermediate), total 3 items, will need to be included in the commands for the third party certificate replacement. The steps  and  only show two inputs, so I am not sure what I have been missing. Please advise the detail. Thanks again! Beeth On Wed, Oct 19, 2016 at 11:49 AM, Florence Blanc-Renaud <f...@redhat.com> wrote: > On 10/19/2016 05:23 PM, beeth beeth wrote: > >> I once asked about Install IPA servers with certificate provided by >> third-party like >> Verisign(https://www.redhat.com/archives/freeipa-users/2016- >> September/msg00440.html >> <https://www.redhat.com/archives/freeipa-users/2016-Septembe >> r/msg00440.html>). >> Florence, Rob and Jakub from Redhat had been very helpful, and pointed >> out the solution at >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp >> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ >> Policy_Guide/install-server.html#install-server-without-ca >> <https://access.redhat.com/documentation/en-US/Red_Hat_Enter >> prise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ >> Policy_Guide/install-server.html#install-server-without-ca>, >> about "Installing Without a CA", and it worked great! >> >> Now it came up another problem, is that the Verisign(or any other >> certificate) will expire in a year or two, how can I smoothly renew the >> Verisign certificate on the primary and replica IPA servers a year from >> now? Or if we decide to use another provider, say Godaddy certificate, >> how can I replace the existing certificate on both IPA servers? I found >> a relevant instruction at >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp >> rise_Linux/7/html-single/Linux_Domain_Identity_Authenti >> cation_and_Policy_Guide/index.html#auto-cert-renewal >> <https://access.redhat.com/documentation/en-US/Red_Hat_Enter >> prise_Linux/7/html-single/Linux_Domain_Identity_Authenti >> cation_and_Policy_Guide/index.html#auto-cert-renewal>, >> but that's about the "Dogtag" CA certificate, not about the third-party >> certificate I am using in our upcoming production environment(running >> IPA 4.2 on RHEL7). >> >> Hi, > > if you plan to use another CA (for instance switch from Verisign to > Godaddy), you will need first to install the new CA certificate with > ipa-cacert-manage install and ipa-certupdate. The instructions are in 30.4 > Manual CA Certificate Installation . > > Then, if you want to change the HTTP and LDAP certificates for your > server, you can use the ipa-server-certinstall utility . > >  https://access.redhat.com/documentation/en-US/Red_Hat_Enterp > rise_Linux/7/html-single/Linux_Domain_Identity_Authenti > cation_and_Policy_Guide/index.html#manual-cert-install > >  https://access.redhat.com/documentation/en-US/Red_Hat_Enterp > rise_Linux/7/html-single/Linux_Domain_Identity_Authenti > cation_and_Policy_Guide/index.html#Configuring_Certificates_ > and_Certificate_Authorities > > Hope this helps, > Flo. > > > Please advise. Thank you! >> Beeth >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project