[Freeipa-users] Certs.

Thu Sep 11 00:01:40 UTC 2014

On 09/10/2014 07:57 PM, William Graboyes wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi Dmitri,
>
> Production Environment is going to be RH 6.5,  We are still evaluating
> the usage of systemd. More like we are taking a wait and see approach
> to to systemd, while actively testing it.
The command line options for chaining are there from day one.
So you would need to chain your production environment when you deploy it.
In future when you migrate to later versions (in couple of years or so) 
you will be able to change the chaining using the new tools. Right now 
it is a vary hard multi step manual procedure. This is why we developed 
the tool.
But you should be all set for now. You would not need to change anything 
for several years.

Thanks
Dmitri

> Thanks,
> Bill
>
> On Wed Sep 10 16:49:24 2014, Dmitri Pal wrote:
>> On 09/10/2014 07:26 PM, William Graboyes wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> Hi Chris,
>>>
>>> Thank you for the suggestion. Looking at
>>> http://www.redhat.com/archives/freeipa-users/2014-August/msg00334.html
>>>
>>> Installing a new, third party cert requires a reinstall of IPA?  IPA
>>> Devs, that is a bit silly don't you think?  A year or two in the cert
>>> expires, now you have to start from scratch?  I will wait for some form
>>> of response before I attempt at eating crow in front of management.
>>>
>>> I forgot to mention, free-ipa version ipa-server-3.0.0-37.el6.x86_64.
>> Since 3.0 internal certs are issued for 2 years and are renewed
>> automatically. The root cert is valid for more than two years (AFAIR
>> it is 20).
>>
>>
>>
>>>
>>>
>>> On Wed Sep 10 15:55:56 2014, Chris Whittle wrote:
>>>> Search the list for a post by me and certs...  Basically there is a
>>>> install
>>>> flag that will do all the work for you once you have it the cert in the
>>>> right format.
>>>> On Sep 10, 2014 5:53 PM, "William Graboyes" <wgraboyes at cenic.org>
>>>> wrote:
>>>>
>>>> ********* *BEGIN ENCRYPTED or SIGNED PART* *********
>>>>
>>>> Hello list,
>>>>
>>>> I have been fruitlessly searching for some information, especially
>>>> related to Certs, namely how to replace the self signed certs with
>>>> certs from a trusted CA?  As we are moving forward into
>>>> productionizing of our free-ipa install, I am finding information on
>>>> the net to be a bit lacking.  There is also the possibility that I am
>>>> not looking in the right places, or using the correct search terms.
>>>> Any help on this front would be greatly appreciated.
>>>>
>>>> Thanks,
>>>> Bill
>>>>
>>>>
>>>> ********** *END ENCRYPTED or SIGNED PART* **********
>>>>
>>>>> --
>>>>> Manage your subscription for the Freeipa-users mailing list:
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>> Go To http://freeipa.org for more info on the project
>>>>>
>>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>>> Comment: GPGTools - https://gpgtools.org
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>
>>> iQIcBAEBCgAGBQJUEN4JAAoJEJFMz73A1+zrjNAP/1aZOjhp6c6JwWXUjBE4Pt4i
>>> u6Z1BRFNYgIc5/aNsPAKrdzMqQgTjgWJvSh5UCON0VdmuIx7pQLP7nIlaCCXTRRK
>>> pKx2Cez5Ho7Lwlsb87WW3bzjcyKGX5Wd3+VJdQ6ugYJTpVS4gMxh8atZCV613EY6
>>> FuMk1RS6qlWM2Ut3SjmaAZK3jTw2pUsJzW3zzB271i6sJqAMZTh7Lrie6QcGqAON
>>> eLGlWBZuCaeULUuQmArVZiP3qPnH5NuccvXLFVbX7D1+SM8XeLWrTklN1bfX2HF0
>>> QCFlizb+bBga/d5cEaCv7R8v6m46R4wS779KSUV1jn9PpHISNcmLafv6dTAb6F+5
>>> RBADwBP6coh5LrOJJh0pIByx9dYRbdif/BSH4VMcvfvFMs/EO1PAsGLWQPwoNfYO
>>> 0SzUV1R47JW9NGzeTxja+byKz9hwGtAT2FIw0NibR+M1FydPD9k3LTjTnQWgeSro
>>> ks3AUPDy/hj+E72QDORj+/Zvy3sw8wDFVRw2LH/jaDmWbWhZUG4riC3w2egPjcSK
>>> KIYQ7L/fdeN6S9jt8UcUf1YDHgfLU+iTgqyssr54RufVuM9iBNOkoWxxI0Q9oyMF
>>> NDKiOY8rs2rBu6x09NiHG0BoX1LQzrrKQFQ4ao48w2RH3ocFCgQbsEHZ18uIfo4Y
>>> CB5M63nykETHkkR3ZFkd
>>> =8T1Y
>>> -----END PGP SIGNATURE-----
>>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> Comment: GPGTools - https://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCgAGBQJUEOV8AAoJEJFMz73A1+zrgwAQAJkx74MPOVvbnrG+dmY8w7ok
> J/6NWt9Rb/pS9gRrN7iFopni3BoHuLFC6ltwD6KoWllYClwoXke4T0FQ/nU6Ar6M
> tsuQMYxP0boxhQua2uF/kZ/atMolxoNMShNixXd4dnWtBlpl+R+V58FtfjSGfy49
> qX2Ge6g6wEFATwKReM1KpKCFIfO/yq/wM4NLvvBd6WShJXh6TQBE44y9aXLLJIlP
> DApoLnMHaopNZITSNKt1t7dgw6ne9O370nQwOxR5L0peH8bxla0FLJ57vX+RCC0f
> 3EV/tQHKiXET1RqWE927tfPf171Xcq7sdjLRUL2JTVCK3zPZUuVg9WmuqrLUArhW
> f1XRpn1MM2e0xn18rvHfuRZr2IIUuPE+RfVcQMgEcgtSYuDNlVYCO/ONyTQHxJ/E
> JRkN6nDOZ1nlItJlrrT0MVgdMKQLG7IxkvOndGsyOShD/XvvjQYlQbDvRvodnAlc
> JUIlcC3PbGZh+CRymXzu6M7DYceE5rJ/HzbR1UAPM/dep1P6zA3WyTS15tzIJ93f
> pjLYTciDvPbTOfRTV+1PQvvVDbHZve34wcjGZHaqV35qUQwXcd/DQK18L8S7EmDx
> BeBmii/cX2qBSyzDNGgSjtBTh0AT67tpJQPnH7brsVc9S75+E/MyDqXZjqiJv/9N
> i22XgsD/iTzkP3o0OTjs
> =FKVl
> -----END PGP SIGNATURE-----
>

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.