[Freeipa-users] Replace Self-Signed Cert
quest monger
quest.monger at gmail.com
Mon Oct 13 23:10:47 UTC 2014
makes sense.
i will still try out that cert add command in my test environment, just to
see if it works.
looks like for now, 4.1 upgrade is my best option.
On Mon, Oct 13, 2014 at 7:01 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 10/13/2014 06:45 PM, quest monger wrote:
>
> I did the default IPA install, didnt change any certs or anything.
> As part of that install, it now shows 2 certs, one on port 443 (HTTPS) and
> one on port 636 (LDAPS). These certs dont have a trust chain, hence i
> called them self-signed.
> We have a contract with a third party CA that issues TLS certs for us. I
> was asked to find a way to replace those 2 self signed certs with certs
> from this third party CA.
> I was wondering if there was a way i could do that.
>
> I found this -
> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>
> I am currently running 3.0.0.
>
>
>
> AFAIU the biggest issue will be with the clients.
> I suspect that they might be quite confused if you just drop in the certs
> from the 3rd party.
> If you noticed the page has the following line:
> "The certificate in mysite.crt must be signed by the CA used when
> installing FreeIPA." I think it should say by "external" CA to be clear.
> It is not the case in your situation. If it were the situation the CA
> would have been already in trust chain on the clients and procedure would
> have worked but I do not think it would work now.
> You would need to use the cert chaining tool that was was built in 4.1
> when 4.1 gets released on CentOS.
>
>
>
>
>
> On Mon, Oct 13, 2014 at 6:31 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>> On 10/13/2014 03:39 PM, quest monger wrote:
>>
>> I found some documentation for getting certificate signed by external CA
>> (2.3.3.2. Using Different CA Configurations) -
>> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html
>>
>> But looks like those instructions apply to a first time fresh install,
>> not for upgrading an existing install.
>>
>>
>>
>> On Mon, Oct 13, 2014 at 3:24 PM, quest monger <quest.monger at gmail.com>
>> wrote:
>>
>>> I was told by my admin team that Self-signed certs pose a security risk.
>>>
>>>
>>> On Mon, Oct 13, 2014 at 3:17 PM, Rob Crittenden <rcritten at redhat.com>
>>> wrote:
>>>
>>>> quest monger wrote:
>>>> > Hello All,
>>>> >
>>>> > I installed FreeIPA server on a CentOS host. I have 20+ Linux and
>>>> > Solaris clients hooked up to it. SSH and Sudo works on all clients.
>>>> >
>>>> > I would like to replace the self-signed cert that is used on Port 389
>>>> > and 636.
>>>> >
>>>> > Is there a way to do this without re-installing the server and
>>>> clients.
>>>>
>>>> Why do you want to do this?
>>>>
>>>> rob
>>>>
>>>>
>>>
>>
>>
>>
>> Do I get it right that you installed IPA using self-signed certificate
>> and now want to change it?
>> What version of IPA you have? Did you use self-signed CA-less install or
>> using self-signed CA?
>> The tools to change the chaining are only being released in 4.1 so you
>> might have to move to latest when we release 4.1 for CentOS.
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141013/2ee48eb1/attachment.htm>
More information about the Freeipa-users
mailing list