Re: [Freeipa-users] Adding external CA
On 03/12/2015 12:48 PM, crony wrote: > Thank you David, I'll check it out. > > 2015-03-12 12:36 GMT+01:00 David Kupka : > >> On 03/12/2015 10:37 AM, crony wrote: >> >>> Hi FreeIPA Users, >>> I have a fresh new FreeIPA 4.1 on RHEL7.1 with self-sign CA and I would >>> like to change the self-sign CA to the external CA >>> >>> Do you have any step by step document for do it correctly on 4.1 version? >>> >>> /lm >>> >>> >>> >>> >> Hello! >> >> I'm not aware of this being documented but fortunately this can be done in >> 3 easy steps: >> >> 1. # ipa-cacert-manage renew --external-ca >> 2. Let CA of your choice sing the CRL produced in step 1. >> 3. # ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate >> --external-cert-file=/path/to/external_ca_certificate Some documentation can be found in RHEL guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cas.html#change-cert-chaining There is also upstream design page: http://www.freeipa.org/page/V4/CA_certificate_renewal But in general, David was right. You would just need to do one more step if you had FreIPA clients already enrolled - call ipa-certupdate on them. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding external CA
Thank you David, I'll check it out. 2015-03-12 12:36 GMT+01:00 David Kupka : > On 03/12/2015 10:37 AM, crony wrote: > >> Hi FreeIPA Users, >> I have a fresh new FreeIPA 4.1 on RHEL7.1 with self-sign CA and I would >> like to change the self-sign CA to the external CA >> >> Do you have any step by step document for do it correctly on 4.1 version? >> >> /lm >> >> >> >> > Hello! > > I'm not aware of this being documented but fortunately this can be done in > 3 easy steps: > > 1. # ipa-cacert-manage renew --external-ca > 2. Let CA of your choice sing the CRL produced in step 1. > 3. # ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate > --external-cert-file=/path/to/external_ca_certificate > > -- > David Kupka > -- Pozdrawiam Leszek Miś www: http://cronylab.pl www: http://emerge.pl Nothing is secure, paranoia is your friend. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding external CA
On 03/12/2015 10:37 AM, crony wrote: Hi FreeIPA Users, I have a fresh new FreeIPA 4.1 on RHEL7.1 with self-sign CA and I would like to change the self-sign CA to the external CA Do you have any step by step document for do it correctly on 4.1 version? /lm Hello! I'm not aware of this being documented but fortunately this can be done in 3 easy steps: 1. # ipa-cacert-manage renew --external-ca 2. Let CA of your choice sing the CRL produced in step 1. 3. # ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Adding external CA
Hi FreeIPA Users, I have a fresh new FreeIPA 4.1 on RHEL7.1 with self-sign CA and I would like to change the self-sign CA to the external CA Do you have any step by step document for do it correctly on 4.1 version? /lm -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project