[Freeipa-users] Replica with external ca + custom subject in certificate
Martin Kosek
mkosek at redhat.com
Tue Apr 7 11:48:00 UTC 2015
On 04/07/2015 01:44 PM, James James wrote:
> ok.
>
> Is there a way to migrate from an external CA to a CA-less or a self-signed
> CA ?
Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0:
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
https://www.freeipa.org/page/V4/CA_certificate_renewal
(Although I am still not sure about your use case and if this would help you)
>
> 2015-04-07 12:51 GMT+02:00 Martin Kosek <mkosek at redhat.com>:
>
>> On 04/03/2015 11:39 AM, James James wrote:
>>> Hello,
>>>
>>> I want to initialize a new replica with an external CA. My Certificate
>>> Authority wants a CSR with the field emailAddress in the subject like :
>>>
>>> /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=none at none.com
>>
>> I am not a bit confused. Do you plan to have FreeIPA *without* a CA or
>> with own
>> CA signed by external CA?
>>
>> FreeIPA supports these kinds of setups right now:
>> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure
>>
>>> How can I do with the ipa-server-install command ? I have been trying
>> for
>>> few days but I still can't.
>>>
>>> Thanks for your help.
>>
>> CCing Honza who should know the definitive answer. However, FreeIPA was not
>> very flexible in configuring special subjects for it's CA certificate (i.e.
>> cn=Certificate Authority, ou=...) or hosts in case of CA-less setup.
>>
>
More information about the Freeipa-users
mailing list