<div dir="ltr">makes sense.<div>i will still try out that cert add command in my test environment, just to see if it works.</div><div>looks like for now, 4.1 upgrade is my best option.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 13, 2014 at 7:01 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"><span class=""> <div>On 10/13/2014 06:45 PM, quest monger wrote:<br> </div> <blockquote type="cite"> <div dir="ltr">I did the default IPA install, didnt change any certs or anything. <div>As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed.</div> <div>We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA.</div> <div>I was wondering if there was a way i could do that.</div> <div><br> </div> <div>I found this - <a href="http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP" target="_blank">http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP</a></div> <div><br> </div> <div>I am currently running 3.0.0.</div> <div><br> </div> <div><br> </div> </div> </blockquote> <br></span> AFAIU the biggest issue will be with the clients.<br> I suspect that they might be quite confused if you just drop in the certs from the 3rd party.<br> If you noticed the page has the following line: <br> "The certificate in mysite.crt must be signed by the CA used when installing FreeIPA." I think it should say by "external" CA to be clear.<br> It is not the case in your situation. If it were the situation the CA would have been already in trust chain on the clients and procedure would have worked but I do not think it would work now.<br> You would need to use the cert chaining tool that was was built in 4.1 when 4.1 gets released on CentOS.<div><div class="h5"><br> <br> <br> <br> <blockquote type="cite"> <div class="gmail_extra"><br> <div class="gmail_quote">On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> <div> <div> <div>On 10/13/2014 03:39 PM, quest monger wrote:<br> </div> <blockquote type="cite"> <div dir="ltr">I found some documentation for getting certificate signed by external CA (2.3.3.2. Using Different CA Configurations) - <a href="http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html" target="_blank">http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html</a> <div><br> </div> <div>But looks like those instructions apply to a first time fresh install, not for upgrading an existing install.</div> <div><br> </div> <div><br> </div> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On Mon, Oct 13, 2014 at 3:24 PM, quest monger <span dir="ltr"><<a href="mailto:quest.monger@gmail.com" target="_blank">quest.monger@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div dir="ltr">I was told by my admin team that Self-signed certs pose a security risk. <div><br> </div> </div> <div> <div> <div class="gmail_extra"><br> <div class="gmail_quote">On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div> <div>quest monger wrote:<br> > Hello All,<br> ><br> > I installed FreeIPA server on a CentOS host. I have 20+ Linux and<br> > Solaris clients hooked up to it. SSH and Sudo works on all clients.<br> ><br> > I would like to replace the self-signed cert that is used on Port 389<br> > and 636.<br> ><br> > Is there a way to do this without re-installing the server and clients.<br> <br> </div> </div> Why do you want to do this?<br> <span><font color="#888888"><br> rob<br> <br> </font></span></blockquote> </div> <br> </div> </div> </div> </blockquote> </div> <br> </div> <br> <fieldset></fieldset> <br> </blockquote> <br> </div> </div> Do I get it right that you installed IPA using self-signed certificate and now want to change it?<br> What version of IPA you have? Did you use self-signed CA-less install or using self-signed CA?<br> The tools to change the chaining are only being released in 4.1 so you might have to move to latest when we release 4.1 for CentOS.<span><font color="#888888"><br> <br> <br> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </font></span></div> <br> --<br> Manage your subscription for the Freeipa-users mailing list:<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br> </blockquote> </div> <br> </div> </blockquote> <br> <br> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </div></div></div> </blockquote></div><br></div>