[Freeipa-users] Howto use IPA for internal websites
Rob Crittenden
rcritten at redhat.com
Wed Feb 6 22:32:20 UTC 2013
Fred van Zwieten wrote:
> Hi,
>
> We have installed IPA in our internal network (let's call it example.com
> <http://example.com>).
>
> We have all kinds of internal websites running for various
> administrative tasks. These websites are in all kind of subdomains of
> example.com <http://example.com>. We would like to have them using a
> certificate signed by our CA.
>
> Some internal websites run on IPA-clients, some not.
>
> So, what is the exact workflow to make this happen?
A host doesn't need to be enrolled to get a certificate. You can just
use host-add (or the UI) to create the host and potentiall whatever
services you want certificates for (HTTP, ldap, whatever).
Then generate a CSR on the host you want the cert for using your
favorite crypto tools and pass that to ipa cert-request. The output of
that is a signed public cert.
You'll need the CA cert chain as well. It can be retrieved via the web
from http://ipa.example.com/ipa/config/ca.crt. In 3.1 you can also get
it over LDAP in cn=CAcert,cn=ipa,cn=etc,$SUFFIX in the cACertificate
attribute.
> Also, our internal users must trust the IPA server as a Certificate
> Signing Authority. Users use both linux and windows clients and use
> various browsers on them. What is the procedure to have them trusting
> the IPA server as the CSA?
You can visit the URI for the CA cert directly and you should be
prompted to import and trust it in most browsers.
rob
More information about the Freeipa-users
mailing list