[Freeipa-users] Using already running dogtag-instance possible?
Rob Crittenden
rcritten at redhat.com
Fri Apr 9 21:42:54 UTC 2010
Oliver Burtchen wrote:
> Hi @all,
>
> is it possible to use an already configured und running dogtag-instance for
> freeipa V2 in the installation process? I would like to give ipa-server-
> install just the params for the dogtag-instance/server to use, and skip its
> own creation-process (pkisilence ...).
>
> Or are there arguments for an extra CA used by freeipa?
>
> Background: I customized dogtag for my needs (using SHA256, default to 10 year
> validity of ca-SigningCert, organization and location defaults, etc. ).
>
> Best regards,
> Oli
Probably the best way to do it would be to use the external CA install
option (--external-ca). This is a two-step installation process. The
first step generates a CSR for the IPA CA. You take this CSR to your
existing CA and issue a subordinate CA certificate that will be used by
IPA. Then you continue the IPA Installation and it sets up a separate
dogtag instance with this subordinate CA.
It might be possible to wedge in an existing dogtag install into IPA in
another way but I haven't yet tried it.
rob
More information about the Freeipa-users
mailing list