[Freeipa-users] Adding a cert post install
Rob Crittenden
rcritten at redhat.com
Wed Jul 29 15:22:33 UTC 2009
David Christensen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rob Crittenden wrote:
>> David Christensen wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Rob Crittenden wrote:
>>>> David Christensen wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> If freeIPA was installed and a CA signed cert was not used during the
>>>>> install and instead the freeipa generated one was used, it is possible
>>>>> to import one post install?
>>>> There is a tool to do that, ipa-server-certinstall.
>>>>
>>>>> If not this is not possible or rather difficult, is it possible to
>>>>> backup the freeIPA DB and import it after a new install to use the
>>>>> legit
>>>>> CA cert?
>>>> It isn't too difficult to do but you have to understand the
>>>> ramifications. When you create any replicas you'll need to provide two
>>>> certificates for it (one for Apache and one for 389) in the form of
>>>> PKCS#12 files and they need to be issued from the same CA as your other
>>>> IPA servers (or they must already be trusted).
>>>>
>>>> You just have to be very careful, basically.
>>>>
>>>> rob
>>> Thanks for the info Rob.
>>>
>>> Does the same ramification exist using the ipa-server-certinstall tool
>> Yes, once you replace the self-signed CA you'll be responsible for
>> providing all future certificates via PKCS#12 files and ensuring that
>> the required CA certs will be available for trust purposes.
>>
>> It isn't an overwhelming task but can be confusing for those new to SSL.
>>
>> rob
>
> Thanks for clarifying. Can the tool be used on replicas? I created a
> replica for multimaster replication using the default install so I will
> need to import the SSL cert for both ipa servers.
Yes, it should work fine on replicas too.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090729/f939ebf9/attachment.bin>
More information about the Freeipa-users
mailing list