[Freeipa-users] Using already running dogtag-instance possible?
Oliver Burtchen
o.burtchen at gmx.de
Fri Apr 9 23:29:40 UTC 2010
Hi Rob,
thanks for the answer. I know about the externel CA-Cert possibility of ipa-
server- install. But it does not what I want.
I did setup a dogtag ca and a fedora-ds (389). It would be nice, if freeipa
could just use them. I find it a little bit inconsitent that dogtag tries to be
a central service, and freeipa claims to be the same, setting up a new one.
BTW.: Freeipa setup tells me, that it should be the only 389-instance, and
exist gracefully. Well, my dogtag and bind setup with 389-backend works quiet
well, i just want freeipa to use them.
Is there a possibility to setup freeipa this way? Thanks for the all in one
setup, but it means I cannot run an other ldap (389) server(-instance) on a
machine where freeipa is running. Is this right?
Best regards,
Oli
Am Freitag, 9. April 2010 23:42:54 schrieb Rob Crittenden:
> Oliver Burtchen wrote:
> > Hi @all,
> >
> > is it possible to use an already configured und running dogtag-instance
> > for freeipa V2 in the installation process? I would like to give
> > ipa-server- install just the params for the dogtag-instance/server to
> > use, and skip its own creation-process (pkisilence ...).
> >
> > Or are there arguments for an extra CA used by freeipa?
> >
> > Background: I customized dogtag for my needs (using SHA256, default to 10
> > year validity of ca-SigningCert, organization and location defaults, etc.
> > ).
> >
> > Best regards,
> > Oli
>
> Probably the best way to do it would be to use the external CA install
> option (--external-ca). This is a two-step installation process. The
> first step generates a CSR for the IPA CA. You take this CSR to your
> existing CA and issue a subordinate CA certificate that will be used by
> IPA. Then you continue the IPA Installation and it sets up a separate
> dogtag instance with this subordinate CA.
>
> It might be possible to wedge in an existing dogtag install into IPA in
> another way but I haven't yet tried it.
>
> rob
>
--
Oliver Burtchen, Berlin
More information about the Freeipa-users
mailing list