Re: [Freeipa-users] Adding a cert post install
David Christensen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rob Crittenden wrote: David Christensen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rob Crittenden wrote: David Christensen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If freeIPA was installed and a CA signed cert was not used during the install and instead the freeipa generated one was used, it is possible to import one post install? There is a tool to do that, ipa-server-certinstall. If not this is not possible or rather difficult, is it possible to backup the freeIPA DB and import it after a new install to use the legit CA cert? It isn't too difficult to do but you have to understand the ramifications. When you create any replicas you'll need to provide two certificates for it (one for Apache and one for 389) in the form of PKCS#12 files and they need to be issued from the same CA as your other IPA servers (or they must already be trusted). You just have to be very careful, basically. rob Thanks for the info Rob. Does the same ramification exist using the ipa-server-certinstall tool Yes, once you replace the self-signed CA you'll be responsible for providing all future certificates via PKCS#12 files and ensuring that the required CA certs will be available for trust purposes. It isn't an overwhelming task but can be confusing for those new to SSL. rob Thanks for clarifying. Can the tool be used on replicas? I created a replica for multimaster replication using the default install so I will need to import the SSL cert for both ipa servers. Yes, it should work fine on replicas too. rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Adding a cert post install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rob Crittenden wrote: > David Christensen wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Rob Crittenden wrote: >>> David Christensen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If freeIPA was installed and a CA signed cert was not used during the install and instead the freeipa generated one was used, it is possible to import one post install? >>> There is a tool to do that, ipa-server-certinstall. >>> If not this is not possible or rather difficult, is it possible to backup the freeIPA DB and import it after a new install to use the legit CA cert? >>> It isn't too difficult to do but you have to understand the >>> ramifications. When you create any replicas you'll need to provide two >>> certificates for it (one for Apache and one for 389) in the form of >>> PKCS#12 files and they need to be issued from the same CA as your other >>> IPA servers (or they must already be trusted). >>> >>> You just have to be very careful, basically. >>> >>> rob >> >> Thanks for the info Rob. >> >> Does the same ramification exist using the ipa-server-certinstall tool > > Yes, once you replace the self-signed CA you'll be responsible for > providing all future certificates via PKCS#12 files and ensuring that > the required CA certs will be available for trust purposes. > > It isn't an overwhelming task but can be confusing for those new to SSL. > > rob Thanks for clarifying. Can the tool be used on replicas? I created a replica for multimaster replication using the default install so I will need to import the SSL cert for both ipa servers. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpwZSUACgkQ5B+8XEnAvqtlJgCeMNJNNN4z9V/PnvJr6bnFMMnX FhwAnA4gQpDuHEsa+14VoeWXAwod68YX =7JRY -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Adding a cert post install
David Christensen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rob Crittenden wrote: David Christensen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If freeIPA was installed and a CA signed cert was not used during the install and instead the freeipa generated one was used, it is possible to import one post install? There is a tool to do that, ipa-server-certinstall. If not this is not possible or rather difficult, is it possible to backup the freeIPA DB and import it after a new install to use the legit CA cert? It isn't too difficult to do but you have to understand the ramifications. When you create any replicas you'll need to provide two certificates for it (one for Apache and one for 389) in the form of PKCS#12 files and they need to be issued from the same CA as your other IPA servers (or they must already be trusted). You just have to be very careful, basically. rob Thanks for the info Rob. Does the same ramification exist using the ipa-server-certinstall tool Yes, once you replace the self-signed CA you'll be responsible for providing all future certificates via PKCS#12 files and ensuring that the required CA certs will be available for trust purposes. It isn't an overwhelming task but can be confusing for those new to SSL. rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Adding a cert post install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rob Crittenden wrote: > David Christensen wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> If freeIPA was installed and a CA signed cert was not used during the >> install and instead the freeipa generated one was used, it is possible >> to import one post install? > > There is a tool to do that, ipa-server-certinstall. > >> If not this is not possible or rather difficult, is it possible to >> backup the freeIPA DB and import it after a new install to use the legit >> CA cert? > > It isn't too difficult to do but you have to understand the > ramifications. When you create any replicas you'll need to provide two > certificates for it (one for Apache and one for 389) in the form of > PKCS#12 files and they need to be issued from the same CA as your other > IPA servers (or they must already be trusted). > > You just have to be very careful, basically. > > rob Thanks for the info Rob. Does the same ramification exist using the ipa-server-certinstall tool or is that just when trying to re-create an instance of IPA and importing the DB? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpvggQACgkQ5B+8XEnAvqsA+ACfdUc8QzKgkOQiIoTdF2Z3xxqF bBkAn2Hu0/XFcgKEeZYK38BOugkRqHF5 =7Uhp -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Adding a cert post install
David Christensen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If freeIPA was installed and a CA signed cert was not used during the install and instead the freeipa generated one was used, it is possible to import one post install? There is a tool to do that, ipa-server-certinstall. If not this is not possible or rather difficult, is it possible to backup the freeIPA DB and import it after a new install to use the legit CA cert? It isn't too difficult to do but you have to understand the ramifications. When you create any replicas you'll need to provide two certificates for it (one for Apache and one for 389) in the form of PKCS#12 files and they need to be issued from the same CA as your other IPA servers (or they must already be trusted). You just have to be very careful, basically. rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Adding a cert post install
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If freeIPA was installed and a CA signed cert was not used during the install and instead the freeipa generated one was used, it is possible to import one post install? If not this is not possible or rather difficult, is it possible to backup the freeIPA DB and import it after a new install to use the legit CA cert? Thanks. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkpvb6oACgkQ5B+8XEnAvqtmDACeMUc0dpCffRiJ8CAK0hfZYl+N bqgAnRVx5wMvU7VcLTMu9pLHU9+BhJB0 =BVsI -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users