[Freeipa-users] FreeIPA vs DogTag CA
Dear all, Seeking your kind advices. If the requirement is for having a scalable corporate CA only, is it possible to get this requirement fulfilled with DogTag only, or install FreeIPA and use the CA functionality only. What are the functional differences and support limitations? Thanks Kaamel -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Revocation of Issuing CA certificates
Dear All, How is the revocation of issuing CA certificates are handled? We are using OCSP responders for revocation checking of certificates issued by the Issuing CAs. So do we have to setup another OCSP or CRL distribution point to let the applications to query for the revocation of issuing CA certificates? Regards, Kamal -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] How to renew an expired admin certificate
Thanks I will check. On Tue, Apr 28, 2015 at 12:26 PM, Niranjan M.R mrniran...@redhat.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/28/2015 11:20 AM, Kamal Perera wrote: Dear All, I'm in the process of regaining one of the old CA systems which was not being used for a long time. In the root CA, administrator certificate is expired and cannot access the agent interface. In order to renew it, i would need the access to the agent interface. Could you roll back the system date and try ? Please help me to proceed with the login in to the agent interface. Regards, Kamal - -- Niranjan irc: mrniranjan -BEGIN PGP SIGNATURE- Version: GnuPG v1 iKYEARECAGYFAlU/LxVfFIAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEY3OTE3QTg3ODE0RkVCQ0YyNjgyOTRENjJF RURDNTVGNjA0N0M3QzcACgkQLu3FX2BHx8ef5wCfUP8ObZnJ6nO2gqqRnWU/VUWr u00AoMpIaGxdjEXm/7uAK0oUDsWq/Mn0 =2nS3 -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to renew an expired admin certificate
Dear All, I'm in the process of regaining one of the old CA systems which was not being used for a long time. In the root CA, administrator certificate is expired and cannot access the agent interface. In order to renew it, i would need the access to the agent interface. Please help me to proceed with the login in to the agent interface. Regards, Kamal -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Urgent Help Needed - CA subsystem certificate renewal
dear Martin, Thanks. I will check and update the list. On Fri, Nov 14, 2014 at 4:58 PM, Martin Kosek mko...@redhat.com wrote: You need to get all certificates in # getcert list renewed. With FreeIPA 3.0+ the certificates should be already properly tracked, AFAIR. Was the uid=ipara,ou=People,o=ipaca entry (as described in http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) properly updated with a serial pointing to the new certificate? Maybe this is the reason why old RA certificate is loaded. If you are using RHEL/CentOS, I would also recommend updating ipa, certmonger and selinux-policy to the 6.6 version is there were several related fixes. Martin On 11/14/2014 11:56 AM, Kamal Perera wrote: Hi Martin, Thanks for the reply. its FreeIPA 3. Actually my issue was, all my subsystem certificates were expired two days back. So it wasnt possible to get the requests signed and approved by the CA as the web interface in inaccessible. But after several attempts, I got it done by changing the date back to a valid time. Now i have revert back and everything is fine except this. now the RA and OCSPs are not communicating with the CA. I guess its because the CA's subsystem certificate is expired. So do i have to reissue all the subsystem certificates in RA and OCSP? Any thoughts? Thanks On Fri, Nov 14, 2014 at 3:50 PM, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 11/14/2014 08:02 AM, pki tech wrote: Dear All, In our Issuing CA, all the subsystem certificates are expired except the caSigningCert. I can generate the new certificate requests via certutil, but how can i get them signed? your swift response is appreciated. Regards, Kamal What IPA version did you use? We have a related howto article on FreeIPA.org wiki with instructions what to do when PKI subsystem certificate expire: http://www.freeipa.org/page/__IPA_2x_Certificate_Renewal http://www.freeipa.org/page/IPA_2x_Certificate_Renewal Also CCing Jan who owns the PKI knowledge. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Urgent Help Needed - CA subsystem certificate renewal
Hi Martin, Thanks for the reply. its FreeIPA 3. Actually my issue was, all my subsystem certificates were expired two days back. So it wasnt possible to get the requests signed and approved by the CA as the web interface in inaccessible. But after several attempts, I got it done by changing the date back to a valid time. Now i have revert back and everything is fine except this. now the RA and OCSPs are not communicating with the CA. I guess its because the CA's subsystem certificate is expired. So do i have to reissue all the subsystem certificates in RA and OCSP? Any thoughts? Thanks On Fri, Nov 14, 2014 at 3:50 PM, Martin Kosek mko...@redhat.com wrote: On 11/14/2014 08:02 AM, pki tech wrote: Dear All, In our Issuing CA, all the subsystem certificates are expired except the caSigningCert. I can generate the new certificate requests via certutil, but how can i get them signed? your swift response is appreciated. Regards, Kamal What IPA version did you use? We have a related howto article on FreeIPA.org wiki with instructions what to do when PKI subsystem certificate expire: http://www.freeipa.org/page/IPA_2x_Certificate_Renewal Also CCing Jan who owns the PKI knowledge. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project