[Freeipa-users] using wildcard cert from external CA
Sorry for the redundancy but I thought it would be better to start a new thread since I am really asking a different question at this point. We are trying to stand up an IPA instance using real certs (wildcard) for our domain, so that external users get a valid cert when coming the the https UI. I am trying to follow the steps given in this thread: https://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html. It seems no matter what I do, I end up with: "full certificate chain is not present in /etc/ipa/pki/example.org.p12". Has this process been documented more completely anywhere? Is this still a valid process? I know that there is now an -external-ca option to ipa-server-install, but I have questions about the CSR process from my CA and they are not being very responsive. I have also been told that this option would require a reseller arrangement potentially costing a lot of money... we don't want to be in the CA business... we just want our external users to be able to securely access IPA. Thanks again in advance for any assistance. Sean -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] using wildcard cert from external CA
Sean Conley - US wrote: > Sorry for the redundancy but I thought it would be better to start a new > thread since I am really asking a different question at this point. > > We are trying to stand up an IPA instance using real certs (wildcard) > for our domain, so that external users get a valid cert when coming the > the https UI. I am trying to follow the steps given in this > thread: > https://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html. > It seems no matter what I do, I end up with: full certificate chain is > not present in /etc/ipa/pki/example.org.p12. Has this process been > documented more completely anywhere? Is this still a valid process? > > I know that there is now an external-ca option to ipa-server-install, > but I have questions about the CSR process from my CA and they are not > being very responsive. I have also been told that this option would > require a reseller arrangement potentially costing a lot of money we > dont want to be in the CA business we just want our external users to > be able to securely access IPA. > > Thanks again in advance for any assistance. I think you misunderstand what the external-ca option does. This generates a CSR that you hand off to an external CA which issues a subordinate CA certificate. This isn't what you want AFAICT. Start reading here https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-ca-options.html and it sounds like this is the configuration you want: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-ca-options.html#install-ca-less rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project