[Freeipa-users] Adding a cert post install

[David Christensen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rob Crittenden wrote:
> David Christensen wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> If freeIPA was installed and a CA signed cert was not used during the
>> install and instead the freeipa generated one was used, it is possible
>> to import one post install?
> 
> There is a tool to do that, ipa-server-certinstall.
> 
>> If not this is not possible or rather difficult, is it possible to
>> backup the freeIPA DB and import it after a new install to use the legit
>> CA cert?
> 
> It isn't too difficult to do but you have to understand the
> ramifications. When you create any replicas you'll need to provide two
> certificates for it (one for Apache and one for 389) in the form of
> PKCS#12 files and they need to be issued from the same CA as your other
> IPA servers (or they must already be trusted).
> 
> You just have to be very careful, basically.
> 
> rob

Thanks for the info Rob.

Does the same ramification exist using the ipa-server-certinstall tool
or is that just when trying to re-create an instance of IPA and
importing the DB?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkpvggQACgkQ5B+8XEnAvqsA+ACfdUc8QzKgkOQiIoTdF2Z3xxqF
bBkAn2Hu0/XFcgKEeZYK38BOugkRqHF5
=7Uhp
-----END PGP SIGNATURE-----