[Freeipa-users] Replica with external ca + custom subject in certificate
Martin Kosek
mkosek at redhat.com
Tue Apr 7 13:31:27 UTC 2015
On 04/07/2015 02:08 PM, James James wrote:
> I will try to give a better explanation :
>
>
> I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been
> installed with an external CA about 3 years ago and I will have to renew
> the certificate soon.
>
> I have created a test server (ipa-dev) with the same configuration (centos
> 6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev sever
> to be installed with an external CA.
>
> In the same time my external CA has changed and wants the emailAddress
> field in the certificate request 's subject.
CSR during installation with external CA is produced by Dogtag, so you are
constrained with the options and capabilities provided by ipa-server-install.
Maybe it would be possible to modify the CSR and update the Subject manually,
but I expect it would crash the installer later (JanC may know more (CCed))
> If it is not possible to add emailAddress in the subject, is it possible to
> migrate my ipa-master CA system from an external CA to a CA-less or
> self-signed CA ?
It is, with ipa-cacert-manage - see links below.
> Thanks.
>
> 2015-04-07 13:48 GMT+02:00 Martin Kosek <mkosek at redhat.com>:
>
>> On 04/07/2015 01:44 PM, James James wrote:
>>> ok.
>>>
>>> Is there a way to migrate from an external CA to a CA-less or a
>> self-signed
>>> CA ?
>>
>> Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0:
>>
>> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
>> https://www.freeipa.org/page/V4/CA_certificate_renewal
>>
>> (Although I am still not sure about your use case and if this would help
>> you)
>>
>>>
>>> 2015-04-07 12:51 GMT+02:00 Martin Kosek <mkosek at redhat.com>:
>>>
>>>> On 04/03/2015 11:39 AM, James James wrote:
>>>>> Hello,
>>>>>
>>>>> I want to initialize a new replica with an external CA. My Certificate
>>>>> Authority wants a CSR with the field emailAddress in the subject like :
>>>>>
>>>>> /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=none at none.com
>>>>
>>>> I am not a bit confused. Do you plan to have FreeIPA *without* a CA or
>>>> with own
>>>> CA signed by external CA?
>>>>
>>>> FreeIPA supports these kinds of setups right now:
>>>> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure
>>>>
>>>>> How can I do with the ipa-server-install command ? I have been trying
>>>> for
>>>>> few days but I still can't.
>>>>>
>>>>> Thanks for your help.
>>>>
>>>> CCing Honza who should know the definitive answer. However, FreeIPA was
>> not
>>>> very flexible in configuring special subjects for it's CA certificate
>> (i.e.
>>>> cn=Certificate Authority, ou=...) or hosts in case of CA-less setup.
>>>>
>>>
>>
>>
>
More information about the Freeipa-users
mailing list