On 05/15/17 16:44, Rob Crittenden wrote:
> I'm confused. You mention replacing some "externally signed certificate"
> and yet then ask switching to externally signed certificates. What is
> the current configuration? What is signing the existing server certs? Or
> do you have an external CA signing the IPA CA?

The current servers have been installed with --external-ca. freeipa
created a csr, it was signed by an external CA and handed off back
to the freeipa server.

The question was if I should drop the whole certificate support
in freeipa. Its called "CA-less install", if I got this correctly.
I am not sure if it is possible to switch from external-ca to

> ipa-cacert-manage is for managing the CA certificate, not service
> certificates.

Sure. Point is that I don't see how a problem on replacing freeipa's
(externally signed) CA certificate by a new one affects freeipa.

Sorry to say, but at install time I did not had the impression,
that "ipa-server-install --external-ca" was thoroughly tested
before. I ran straight into a problem, but fortunately that didn't
matter, cause freeipa was not in production use, yet. (Look for
"ipa-server-install --external-ca failed" on this mailing list,
thread started 2015-12-15.)

Today it is in production use. If I brick freeipa today, then I
have a huge problem, so I am concerned.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to