[Freeipa-users] Adding a cert post install
Rob Crittenden
rcritten at redhat.com
Wed Jul 29 14:23:05 UTC 2009
David Christensen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rob Crittenden wrote:
>> David Christensen wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> If freeIPA was installed and a CA signed cert was not used during the
>>> install and instead the freeipa generated one was used, it is possible
>>> to import one post install?
>> There is a tool to do that, ipa-server-certinstall.
>>
>>> If not this is not possible or rather difficult, is it possible to
>>> backup the freeIPA DB and import it after a new install to use the legit
>>> CA cert?
>> It isn't too difficult to do but you have to understand the
>> ramifications. When you create any replicas you'll need to provide two
>> certificates for it (one for Apache and one for 389) in the form of
>> PKCS#12 files and they need to be issued from the same CA as your other
>> IPA servers (or they must already be trusted).
>>
>> You just have to be very careful, basically.
>>
>> rob
>
> Thanks for the info Rob.
>
> Does the same ramification exist using the ipa-server-certinstall tool
Yes, once you replace the self-signed CA you'll be responsible for
providing all future certificates via PKCS#12 files and ensuring that
the required CA certs will be available for trust purposes.
It isn't an overwhelming task but can be confusing for those new to SSL.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090729/6567227c/attachment.bin>
More information about the Freeipa-users
mailing list