[Freeipa-users] Replace Self-Signed Cert
quest.monger at gmail.com
Mon Oct 13 22:45:05 UTC 2014
I did the default IPA install, didnt change any certs or anything.
As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and
one on port 636 (LDAPS). These certs dont have a trust chain, hence i
called them self-signed.
We have a contract with a third party CA that issues TLS certs for us. I
was asked to find a way to replace those 2 self signed certs with certs
from this third party CA.
I was wondering if there was a way i could do that.
I found this -
I am currently running 3.0.0.
On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 10/13/2014 03:39 PM, quest monger wrote:
> I found some documentation for getting certificate signed by external CA
> (220.127.116.11. Using Different CA Configurations) -
> But looks like those instructions apply to a first time fresh install,
> not for upgrading an existing install.
> On Mon, Oct 13, 2014 at 3:24 PM, quest monger <quest.monger at gmail.com>
>> I was told by my admin team that Self-signed certs pose a security risk.
>> On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden <rcritten at redhat.com>
>>> quest monger wrote:
>>> > Hello All,
>>> > I installed FreeIPA server on a CentOS host. I have 20+ Linux and
>>> > Solaris clients hooked up to it. SSH and Sudo works on all clients.
>>> > I would like to replace the self-signed cert that is used on Port 389
>>> > and 636.
>>> > Is there a way to do this without re-installing the server and clients.
>>> Why do you want to do this?
> Do I get it right that you installed IPA using self-signed certificate and
> now want to change it?
> What version of IPA you have? Did you use self-signed CA-less install or
> using self-signed CA?
> The tools to change the chaining are only being released in 4.1 so you
> might have to move to latest when we release 4.1 for CentOS.
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
> Manage your subscription for the Freeipa-users mailing list:
> Go To http://freeipa.org for more info on the project
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeipa-users