[Freeipa-users] install with external CA failed

[Dmitri Pal]

On 03/11/2014 12:44 PM, Robert Story wrote:
> On Mon, 10 Mar 2014 16:07:54 -0400 Simo wrote:
> SS>  >  Unfortunately I've already scrapped that install and just went with
> SS>  >  the internal self-signed CA. So far, the only annoyance is that the
> SS>  >  webserver also presents a self-signed cert for the UI.  Is it safe to
> SS>  >  replace just the web cert with a cert signed by my local CA? Or might
> SS>  >  that break something?
> SS>
> SS>  Import the CA cert in your browser.
>
> This is exactly what I'm trying to avoid. Users already have to install our
> corporate CA cert, and I'd like to avoid having to install two. I'm hoping
> that the cert for the UI could be swapped for one signed by our existing CA.
>
>
> Robert
>
> --
> Senior Software Engineer @ Parsons
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


There are several options:

a) Resolve the issue with CA chaining. It might be due to some data 
missing in the cert issued by your corporate CA when you tried to chain 
things. We can drill down into that.
b) You can use the feature available in IPA 3.3 to use CA-less install. 
It will be in CentOS 7. In this case you can install IPA without any CA 
and just use you corporate CA. The down side is that all cert related 
operations of IPA will be disabled.
c) Import the cert into the browser or the common certs store. I vaguely 
remember that this change might have been ported to 6.5 but I am not 
sure from top of my head.

Thanks
Dmitri

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140311/7ae4bbb8/attachment.htm>