Re: [Freeipa-users] Switch to 3rd party SSL
Thanks Rob, I’ll give it a try! Andrew Chin On Jan 7, 2015, at 2:13 PM, Rob Crittenden rcrit...@redhat.com wrote: Andrew Chin wrote: Hello, I want to switch our FreeIPA 3.3.5 from using the FreeIPA CA self signed certificate to one signed by a commercial CA that browsers will recognize. The documentation at http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP says The certificate in mysite.crt must be signed by the CA used when installing FreeIPA.” Does this preclude me from installing the commercial cert? If not, should I just follow the directions for IPA 4.1? Thanks, Andrew Chin That is rather confusing isn't it. IMHO It should really say that the cert is signed by your 3rd party CA. You'll also want to make sure that the issuing CA is trusted in your NSS databases as well. rob signature.asc Description: Message signed with OpenPGP using GPGMail -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Switch to 3rd party SSL
Andrew Chin wrote: Hello, I want to switch our FreeIPA 3.3.5 from using the FreeIPA CA self signed certificate to one signed by a commercial CA that browsers will recognize. The documentation at http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP says The certificate in mysite.crt must be signed by the CA used when installing FreeIPA.” Does this preclude me from installing the commercial cert? If not, should I just follow the directions for IPA 4.1? Thanks, Andrew Chin That is rather confusing isn't it. IMHO It should really say that the cert is signed by your 3rd party CA. You'll also want to make sure that the issuing CA is trusted in your NSS databases as well. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Switch to 3rd party SSL
Hello, I want to switch our FreeIPA 3.3.5 from using the FreeIPA CA self signed certificate to one signed by a commercial CA that browsers will recognize. The documentation at http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP says The certificate in mysite.crt must be signed by the CA used when installing FreeIPA.” Does this preclude me from installing the commercial cert? If not, should I just follow the directions for IPA 4.1? Thanks, Andrew Chin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project