[Freeipa-users] install with external CA failed
Dmitri Pal
dpal at redhat.com
Tue Mar 11 20:38:08 UTC 2014
On 03/11/2014 12:44 PM, Robert Story wrote:
> On Mon, 10 Mar 2014 16:07:54 -0400 Simo wrote:
> SS> > Unfortunately I've already scrapped that install and just went with
> SS> > the internal self-signed CA. So far, the only annoyance is that the
> SS> > webserver also presents a self-signed cert for the UI. Is it safe to
> SS> > replace just the web cert with a cert signed by my local CA? Or might
> SS> > that break something?
> SS>
> SS> Import the CA cert in your browser.
>
> This is exactly what I'm trying to avoid. Users already have to install our
> corporate CA cert, and I'd like to avoid having to install two. I'm hoping
> that the cert for the UI could be swapped for one signed by our existing CA.
>
>
> Robert
>
> --
> Senior Software Engineer @ Parsons
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
There are several options:
a) Resolve the issue with CA chaining. It might be due to some data
missing in the cert issued by your corporate CA when you tried to chain
things. We can drill down into that.
b) You can use the feature available in IPA 3.3 to use CA-less install.
It will be in CentOS 7. In this case you can install IPA without any CA
and just use you corporate CA. The down side is that all cert related
operations of IPA will be disabled.
c) Import the cert into the browser or the common certs store. I vaguely
remember that this change might have been ported to 6.5 but I am not
sure from top of my head.
Thanks
Dmitri
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140311/7ae4bbb8/attachment.htm>
More information about the Freeipa-users
mailing list