<div dir="ltr">I did the default IPA install, didnt change any certs or anything.<div>As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and one on port 636 (LDAPS). These certs dont have a trust chain, hence i called them self-signed.</div><div>We have a contract with a third party CA that issues TLS certs for us. I was asked to find a way to replace those 2 self signed certs with certs from this third party CA.</div><div>I was wondering if there was a way i could do that.</div><div><br></div><div>I found this - <a href="http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP">http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP</a></div><div><br></div><div>I am currently running 3.0.0.</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
<div>On 10/13/2014 03:39 PM, quest monger
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I found some documentation for getting certificate
signed by external CA (2.3.3.2. Using Different CA
Configurations) - <a href="http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html" target="_blank">http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html</a>
<div><br>
</div>
<div>But looks like those instructions apply to a first time
fresh install, not for upgrading an existing install.</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Oct 13, 2014 at 3:24 PM, quest
monger <span dir="ltr"><<a href="mailto:quest.monger@gmail.com" target="_blank">quest.monger@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">I was told by my admin team that Self-signed
certs pose a security risk.
<div><br>
</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Oct 13, 2014 at 3:17
PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>quest monger wrote:<br>
> Hello All,<br>
><br>
> I installed FreeIPA server on a CentOS
host. I have 20+ Linux and<br>
> Solaris clients hooked up to it. SSH and
Sudo works on all clients.<br>
><br>
> I would like to replace the self-signed
cert that is used on Port 389<br>
> and 636.<br>
><br>
> Is there a way to do this without
re-installing the server and clients.<br>
<br>
</div>
</div>
Why do you want to do this?<br>
<span><font color="#888888"><br>
rob<br>
<br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br></div></div>
Do I get it right that you installed IPA using self-signed
certificate and now want to change it?<br>
What version of IPA you have? Did you use self-signed CA-less
install or using self-signed CA?<br>
The tools to change the chaining are only being released in 4.1 so
you might have to move to latest when we release 4.1 for CentOS.<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div>
<br>--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go To <a href="http://freeipa.org" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div>