On 10/20/2016 05:05 AM, beeth beeth wrote:
First of all, thanks for the quick response Florence!
I have question about your suggested step [1] and [2]:
For [1], "ipa-cacert-manage install cert.pem". Which certificate is
this? Is it the ChainBundle cert(root cert + intermediate cert)?
For [2], "ipa-server-certinstall -d /path/to/pkcs12.p12" . Which
certificate is this pkcs12.p12? Is it the Server cert?
Here's exactly what I ran initially to install the IPA server with the
Verisign certs, by following your suggestion last time(at the Admin
manual 2.3.6. Installing Without a CA), and it worked well:
# ipa-server-install --http-cert-file ServerCertificate.crt
--http-cert-file ipaserver1.encrypted.key --http-pin MYipakey
--dirsrv-cert-file ServerCertificate.crt --dirsrv-cert-file
ipaserver1.encrypted.key --dirsrv-pin MYipakey --ca-cert-file
ChainBundle2.crt
So, basically the installation requested 3 items: the server
key(ipaserver1.encrypted.key), the server certificate from
Verisign(ServerCertificate.crt), and the "root+intermediate" certs from
Verisign(ChainBundle2.crt).
Now let's say such Verisign certificate expires, and I want to replace
the certs from GoDaddy(another public cert provider), I assume a new set
of certs, including the new key, the new server cert, and the new Chain
cert(root+intermediate), total 3 items, will need to be included in the
commands for the third party certificate replacement.
The steps [1] and [2] only show two inputs, so I am not sure what I have
been missing.
Hi,
Sorry if I was not clear enough. The first step (ipa-cacert-manage
install) aims at adding the CA certificate thus the root+intermediate
certs should be provided.
The step with ipa-server-certinstall configures the Server Cert (-d if
you want to replace the LDAP cert, -w for HTTP cert), meaning that the
Server-Cert and key should be provided. The man page details all the
supported formats, and it is possible to provide multiple files.
Hope this clarifies,
Flo.
Please advise the detail. Thanks again!
Beeth
On Wed, Oct 19, 2016 at 11:49 AM, Florence Blanc-Renaud <[email protected]
<mailto:[email protected]>> wrote:
On 10/19/2016 05:23 PM, beeth beeth wrote:
I once asked about Install IPA servers with certificate provided by
third-party like
Verisign(https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html
<https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html>
<https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html
<https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html>>).
Florence, Rob and Jakub from Redhat had been very helpful, and
pointed
out the solution at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca>
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca>>,
about "Installing Without a CA", and it worked great!
Now it came up another problem, is that the Verisign(or any other
certificate) will expire in a year or two, how can I smoothly
renew the
Verisign certificate on the primary and replica IPA servers a
year from
now? Or if we decide to use another provider, say Godaddy
certificate,
how can I replace the existing certificate on both IPA servers?
I found
a relevant instruction at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal>
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal>>,
but that's about the "Dogtag" CA certificate, not about the
third-party
certificate I am using in our upcoming production
environment(running
IPA 4.2 on RHEL7).
Hi,
if you plan to use another CA (for instance switch from Verisign to
Godaddy), you will need first to install the new CA certificate with
ipa-cacert-manage install and ipa-certupdate. The instructions are
in 30.4 Manual CA Certificate Installation [1].
Then, if you want to change the HTTP and LDAP certificates for your
server, you can use the ipa-server-certinstall utility [2].
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#manual-cert-install
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#manual-cert-install>
[2]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#Configuring_Certificates_and_Certificate_Authorities
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#Configuring_Certificates_and_Certificate_Authorities>
Hope this helps,
Flo.
Please advise. Thank you!
Beeth
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
