[Freeipa-users] Replica with external ca + custom subject in certificate
James James
jreg2k at gmail.com
Tue Apr 7 12:08:49 UTC 2015
I will try to give a better explanation :
I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been
installed with an external CA about 3 years ago and I will have to renew
the certificate soon.
I have created a test server (ipa-dev) with the same configuration (centos
6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev sever
to be installed with an external CA.
In the same time my external CA has changed and wants the emailAddress
field in the certificate request 's subject.
If it is not possible to add emailAddress in the subject, is it possible to
migrate my ipa-master CA system from an external CA to a CA-less or
self-signed CA ?
Thanks.
2015-04-07 13:48 GMT+02:00 Martin Kosek <mkosek at redhat.com>:
> On 04/07/2015 01:44 PM, James James wrote:
> > ok.
> >
> > Is there a way to migrate from an external CA to a CA-less or a
> self-signed
> > CA ?
>
> Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0:
>
> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
> https://www.freeipa.org/page/V4/CA_certificate_renewal
>
> (Although I am still not sure about your use case and if this would help
> you)
>
> >
> > 2015-04-07 12:51 GMT+02:00 Martin Kosek <mkosek at redhat.com>:
> >
> >> On 04/03/2015 11:39 AM, James James wrote:
> >>> Hello,
> >>>
> >>> I want to initialize a new replica with an external CA. My Certificate
> >>> Authority wants a CSR with the field emailAddress in the subject like :
> >>>
> >>> /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=none at none.com
> >>
> >> I am not a bit confused. Do you plan to have FreeIPA *without* a CA or
> >> with own
> >> CA signed by external CA?
> >>
> >> FreeIPA supports these kinds of setups right now:
> >> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure
> >>
> >>> How can I do with the ipa-server-install command ? I have been trying
> >> for
> >>> few days but I still can't.
> >>>
> >>> Thanks for your help.
> >>
> >> CCing Honza who should know the definitive answer. However, FreeIPA was
> not
> >> very flexible in configuring special subjects for it's CA certificate
> (i.e.
> >> cn=Certificate Authority, ou=...) or hosts in case of CA-less setup.
> >>
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150407/8d6b3a16/attachment.htm>
More information about the Freeipa-users
mailing list