[Freeipa-users] Replace Self-Signed Cert
William Graboyes
wgraboyes at cenic.org
Mon Oct 13 22:53:53 UTC 2014
Hi there,
My understanding is the only way to install a third party cert is to
start from scratch. The part that is unclear to me is if there is a
method of exporting the data prior to, and importing the data after the
fresh instance of freeipa has been installed. I assume that one would
also have to re-install all clients utilizing freeipa.
Thanks,
Bill
On Mon Oct 13 15:45:05 2014, quest monger wrote:
> I did the default IPA install, didnt change any certs or anything.
> As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and
> one on port 636 (LDAPS). These certs dont have a trust chain, hence i
> called them self-signed.
> We have a contract with a third party CA that issues TLS certs for us. I
> was asked to find a way to replace those 2 self signed certs with certs
> from this third party CA.
> I was wondering if there was a way i could do that.
>
> I found this -
> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>
> I am currently running 3.0.0.
>
>
>
> On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>> On 10/13/2014 03:39 PM, quest monger wrote:
>>
>> I found some documentation for getting certificate signed by external CA
>> (2.3.3.2. Using Different CA Configurations) -
>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html
>>
>> But looks like those instructions apply to a first time fresh install,
>> not for upgrading an existing install.
>>
>>
>>
>> On Mon, Oct 13, 2014 at 3:24 PM, quest monger <quest.monger at gmail.com>
>> wrote:
>>
>>> I was told by my admin team that Self-signed certs pose a security risk.
>>>
>>>
>>> On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden <rcritten at redhat.com>
>>> wrote:
>>>
>>>> quest monger wrote:
>>>>> Hello All,
>>>>>
>>>>> I installed FreeIPA server on a CentOS host. I have 20+ Linux and
>>>>> Solaris clients hooked up to it. SSH and Sudo works on all clients.
>>>>>
>>>>> I would like to replace the self-signed cert that is used on Port 389
>>>>> and 636.
>>>>>
>>>>> Is there a way to do this without re-installing the server and clients.
>>>>
>>>> Why do you want to do this?
>>>>
>>>> rob
>>>>
>>>>
>>>
>>
>>
>>
>> Do I get it right that you installed IPA using self-signed certificate and
>> now want to change it?
>> What version of IPA you have? Did you use self-signed CA-less install or
>> using self-signed CA?
>> The tools to change the chaining are only being released in 4.1 so you
>> might have to move to latest when we release 4.1 for CentOS.
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>
>
>
More information about the Freeipa-users
mailing list