Re: [Freeipa-users] FreeIPA with third-party wildcard certificate

2015-09-30 Thread Martin Kosek
FreeIPA allows running with CA-less mode, where there is no CA and FreeIPA
simply users the offered CA/LDAP certificates:

http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure

Some information is also here:
http://www.freeipa.org/images/b/b3/FreeIPA33-blending-in-a-certificate-infrastructure.pdf
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-ca-options.html

Martin

On 09/29/2015 02:16 PM, Brian Mathis wrote:
> No.  FreeIPA requires a *CA* certificate, which is a cert that has the
> ability to sign other certs.  Unless you're in a large company with an
> expensive agreement in place with GoDaddy, that is not a permission they
> grant to regular certs.  A wildcard cert is only allowed to be used on
> simple things like a web site, and does not have the ability to sign other
> certs.
> 
> 
> ~ Brian Mathis
> @orev
> 
> 
> On Tue, Sep 29, 2015 at 5:35 AM, Srdjan Dutina  wrote:
> 
>> Hi!
>>
>> I'm testing FreeIPA 4.1.0 on Centos 7 (1503).
>> I have a *wildcard *certificate for my domain issued by GoDaddy.
>> Could I use it with FreeIPA primary and replica servers instead of
>> self-signed certificate?
>> If yes, how could I replace the self-signed certificate in existing two
>> servers installation?
>>
>> Thank you.
>>
>> Srdjan.
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] FreeIPA with third-party wildcard certificate

2015-09-29 Thread Brian Mathis
No.  FreeIPA requires a *CA* certificate, which is a cert that has the
ability to sign other certs.  Unless you're in a large company with an
expensive agreement in place with GoDaddy, that is not a permission they
grant to regular certs.  A wildcard cert is only allowed to be used on
simple things like a web site, and does not have the ability to sign other
certs.


~ Brian Mathis
@orev


On Tue, Sep 29, 2015 at 5:35 AM, Srdjan Dutina  wrote:

> Hi!
>
> I'm testing FreeIPA 4.1.0 on Centos 7 (1503).
> I have a *wildcard *certificate for my domain issued by GoDaddy.
> Could I use it with FreeIPA primary and replica servers instead of
> self-signed certificate?
> If yes, how could I replace the self-signed certificate in existing two
> servers installation?
>
> Thank you.
>
> Srdjan.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA with third-party wildcard certificate

2015-09-29 Thread Srdjan Dutina
Hi!

I'm testing FreeIPA 4.1.0 on Centos 7 (1503).
I have a *wildcard *certificate for my domain issued by GoDaddy.
Could I use it with FreeIPA primary and replica servers instead of
self-signed certificate?
If yes, how could I replace the self-signed certificate in existing two
servers installation?

Thank you.

Srdjan.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA with third-party wildcard certificate

2015-09-29 Thread Rob Crittenden
Brian Mathis wrote:
> No.  FreeIPA requires a *CA* certificate, which is a cert that has the
> ability to sign other certs.  Unless you're in a large company with an
> expensive agreement in place with GoDaddy, that is not a permission they
> grant to regular certs.  A wildcard cert is only allowed to be used on
> simple things like a web site, and does not have the ability to sign
> other certs.

You can replace the web and/or LDAP certificates with a 3rd party cert,
see http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP

There be dragons (and countless corner cases).

rob

> 
> 
> ~ Brian Mathis
> @orev
> 
> 
> On Tue, Sep 29, 2015 at 5:35 AM, Srdjan Dutina  > wrote:
> 
> Hi!
> 
> I'm testing FreeIPA 4.1.0 on Centos 7 (1503).
> I have a *wildcard *certificate for my domain issued by GoDaddy.
> Could I use it with FreeIPA primary and replica servers instead of
> self-signed certificate?
> If yes, how could I replace the self-signed certificate in existing
> two servers installation?
> 
> Thank you.
> 
> Srdjan.
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> 
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project