[Freeipa-users] Replace Self-Signed Cert
quest monger
quest.monger at gmail.com
Mon Oct 13 22:45:05 UTC 2014
I did the default IPA install, didnt change any certs or anything.
As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and
one on port 636 (LDAPS). These certs dont have a trust chain, hence i
called them self-signed.
We have a contract with a third party CA that issues TLS certs for us. I
was asked to find a way to replace those 2 self signed certs with certs
from this third party CA.
I was wondering if there was a way i could do that.
I found this -
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
I am currently running 3.0.0.
On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 10/13/2014 03:39 PM, quest monger wrote:
>
> I found some documentation for getting certificate signed by external CA
> (2.3.3.2. Using Different CA Configurations) -
> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html
>
> But looks like those instructions apply to a first time fresh install,
> not for upgrading an existing install.
>
>
>
> On Mon, Oct 13, 2014 at 3:24 PM, quest monger <quest.monger at gmail.com>
> wrote:
>
>> I was told by my admin team that Self-signed certs pose a security risk.
>>
>>
>> On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden <rcritten at redhat.com>
>> wrote:
>>
>>> quest monger wrote:
>>> > Hello All,
>>> >
>>> > I installed FreeIPA server on a CentOS host. I have 20+ Linux and
>>> > Solaris clients hooked up to it. SSH and Sudo works on all clients.
>>> >
>>> > I would like to replace the self-signed cert that is used on Port 389
>>> > and 636.
>>> >
>>> > Is there a way to do this without re-installing the server and clients.
>>>
>>> Why do you want to do this?
>>>
>>> rob
>>>
>>>
>>
>
>
>
> Do I get it right that you installed IPA using self-signed certificate and
> now want to change it?
> What version of IPA you have? Did you use self-signed CA-less install or
> using self-signed CA?
> The tools to change the chaining are only being released in 4.1 so you
> might have to move to latest when we release 4.1 for CentOS.
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141013/5d6e45f9/attachment.htm>
More information about the Freeipa-users
mailing list