Re: [Freeipa-users] 3rd party certificate for WebUI only
On Wed, Jul 1, 2015 at 9:16 PM, Prashant Bapat prash...@apigee.com wrote: I had the exact same requirement. Since we're on AWS, I ended up putting a ELB in front of each of my IPA servers with a commercial cert for web UI. The communication between ELB and the IPA server is using the IPA CA cert. On 2 July 2015 at 07:03, Rob Crittenden rcrit...@redhat.com wrote: Stephen Ingram wrote: I setup IPA using the internal CA. I'd like to continue using this CA, however, I'd also like to allow authorized external browser users (who haven't imported our CA) to access the WebUI without receiving a warning. Is it possible to add a 3rd party certificate and CA such that it is only used for the WebUI using the instructions at http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP? Steve In a word: yes. I'd recommend making a backup of /etc/httpd/alias and /etc/httpd/conf.d/nss.conf before doing this to make rolling back, if necessary, easier. Just a follow-up to this. I did end up adding the cert to the WebUI only. However, I was too scared to use the ipa-server-certinstall command, especially since I'm on 3.0 still, and really wasn't too sure what it was going to do. Instead, like Rob suggested (and this certainly was necessary) I backed up /etc/httpd/alias before I started. I then proceeded to do a cert request from the same NSS db that contains the IPA certs. I then inserted the signed cert using the certutil tool. I also inserted the CA cert from the 3rd party that actually signed the cert. Then a quick edit to nss.conf to change the governing certificate, a restart and I was good to go. No problems so far. I think the tools like sssd and ipa-client use the directory server and the kerberos db more than they would use the web service, so hopefully no problems down the line. Hope this is of some help to others who might want to do this. Steve -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] 3rd party certificate for WebUI only
How smooth is the renewal process ? if the webui cert expires, does it affect the core ipa functionality in any way ? Also, when ipa does it's own auto-renewal, does it leave the webui alone if set up this way ? On Wed, Jul 1, 2015 at 9:16 PM, Prashant Bapat prash...@apigee.com wrote: I had the exact same requirement. Since we're on AWS, I ended up putting a ELB in front of each of my IPA servers with a commercial cert for web UI. The communication between ELB and the IPA server is using the IPA CA cert. On 2 July 2015 at 07:03, Rob Crittenden rcrit...@redhat.com wrote: Stephen Ingram wrote: I setup IPA using the internal CA. I'd like to continue using this CA, however, I'd also like to allow authorized external browser users (who haven't imported our CA) to access the WebUI without receiving a warning. Is it possible to add a 3rd party certificate and CA such that it is only used for the WebUI using the instructions at http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP? Steve In a word: yes. I'd recommend making a backup of /etc/httpd/alias and /etc/httpd/conf.d/nss.conf before doing this to make rolling back, if necessary, easier. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] 3rd party certificate for WebUI only
Since the commercial cert is outside IPA renewing that cert would not impact IPA at all. On 2 July 2015 at 11:50, Prasun Gera prasun.g...@gmail.com wrote: How smooth is the renewal process ? if the webui cert expires, does it affect the core ipa functionality in any way ? Also, when ipa does it's own auto-renewal, does it leave the webui alone if set up this way ? On Wed, Jul 1, 2015 at 9:16 PM, Prashant Bapat prash...@apigee.com wrote: I had the exact same requirement. Since we're on AWS, I ended up putting a ELB in front of each of my IPA servers with a commercial cert for web UI. The communication between ELB and the IPA server is using the IPA CA cert. On 2 July 2015 at 07:03, Rob Crittenden rcrit...@redhat.com wrote: Stephen Ingram wrote: I setup IPA using the internal CA. I'd like to continue using this CA, however, I'd also like to allow authorized external browser users (who haven't imported our CA) to access the WebUI without receiving a warning. Is it possible to add a 3rd party certificate and CA such that it is only used for the WebUI using the instructions at http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP? Steve In a word: yes. I'd recommend making a backup of /etc/httpd/alias and /etc/httpd/conf.d/nss.conf before doing this to make rolling back, if necessary, easier. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] 3rd party certificate for WebUI only
I had the exact same requirement. Since we're on AWS, I ended up putting a ELB in front of each of my IPA servers with a commercial cert for web UI. The communication between ELB and the IPA server is using the IPA CA cert. On 2 July 2015 at 07:03, Rob Crittenden rcrit...@redhat.com wrote: Stephen Ingram wrote: I setup IPA using the internal CA. I'd like to continue using this CA, however, I'd also like to allow authorized external browser users (who haven't imported our CA) to access the WebUI without receiving a warning. Is it possible to add a 3rd party certificate and CA such that it is only used for the WebUI using the instructions at http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP? Steve In a word: yes. I'd recommend making a backup of /etc/httpd/alias and /etc/httpd/conf.d/nss.conf before doing this to make rolling back, if necessary, easier. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] 3rd party certificate for WebUI only
Stephen Ingram wrote: I setup IPA using the internal CA. I'd like to continue using this CA, however, I'd also like to allow authorized external browser users (who haven't imported our CA) to access the WebUI without receiving a warning. Is it possible to add a 3rd party certificate and CA such that it is only used for the WebUI using the instructions at http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP? Steve In a word: yes. I'd recommend making a backup of /etc/httpd/alias and /etc/httpd/conf.d/nss.conf before doing this to make rolling back, if necessary, easier. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] 3rd party certificate for WebUI only
I setup IPA using the internal CA. I'd like to continue using this CA, however, I'd also like to allow authorized external browser users (who haven't imported our CA) to access the WebUI without receiving a warning. Is it possible to add a 3rd party certificate and CA such that it is only used for the WebUI using the instructions at http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP? Steve -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project