[Freeipa-users] Replica with external ca + custom subject in certificate
James James
jreg2k at gmail.com
Wed Apr 8 15:43:40 UTC 2015
It's a little bit more clear. Thanks.
I have created a new ipa 4.1 replica but when I want run :
# ipa-cacert-manage renew --self-signed
I've got this message :
[root at ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed
CA is not configured on this system
If I want to install the CA I've got this message :
[root at ipa-devel-centos7 system]# ipa-ca-install --password=mypassorwd -U
CA is already installed.
Should I have to promote the replica to a standalone master before
installing the CA ?
Any hints will be appreciated...
James
2015-04-08 7:27 GMT+02:00 Jan Cholasta <jcholast at redhat.com>:
> Dne 7.4.2015 v 15:31 Martin Kosek napsal(a):
>
>> On 04/07/2015 02:08 PM, James James wrote:
>>
>>> I will try to give a better explanation :
>>>
>>>
>>> I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been
>>> installed with an external CA about 3 years ago and I will have to renew
>>> the certificate soon.
>>>
>>> I have created a test server (ipa-dev) with the same configuration
>>> (centos
>>> 6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev
>>> sever
>>> to be installed with an external CA.
>>>
>>> In the same time my external CA has changed and wants the emailAddress
>>> field in the certificate request 's subject.
>>>
>>
>> CSR during installation with external CA is produced by Dogtag, so you are
>> constrained with the options and capabilities provided by
>> ipa-server-install.
>> Maybe it would be possible to modify the CSR and update the Subject
>> manually,
>> but I expect it would crash the installer later (JanC may know more
>> (CCed))
>>
>
> The subject name identifies the CA in server (and other) certificates. If
> you change it, you break the trust chain from the CA certificate to the
> server certificates and that will break all SSL in IPA.
>
>
>> If it is not possible to add emailAddress in the subject, is it possible
>>> to
>>> migrate my ipa-master CA system from an external CA to a CA-less or
>>> self-signed CA ?
>>>
>>
>> It is, with ipa-cacert-manage - see links below.
>>
>
> You can change your external CA to self-signed CA in IPA 4.1 or newer by
> running:
>
> # ipa-cacert-manage renew --self-signed
>
> You can't change external CA to CA-less.
>
>
>
>> Thanks.
>>>
>>> 2015-04-07 13:48 GMT+02:00 Martin Kosek <mkosek at redhat.com>:
>>>
>>> On 04/07/2015 01:44 PM, James James wrote:
>>>>
>>>>> ok.
>>>>>
>>>>> Is there a way to migrate from an external CA to a CA-less or a
>>>>>
>>>> self-signed
>>>>
>>>>> CA ?
>>>>>
>>>>
>>>> Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0:
>>>>
>>>> https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
>>>> https://www.freeipa.org/page/V4/CA_certificate_renewal
>>>>
>>>> (Although I am still not sure about your use case and if this would help
>>>> you)
>>>>
>>>>
>>>>> 2015-04-07 12:51 GMT+02:00 Martin Kosek <mkosek at redhat.com>:
>>>>>
>>>>> On 04/03/2015 11:39 AM, James James wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> I want to initialize a new replica with an external CA. My
>>>>>>> Certificate
>>>>>>> Authority wants a CSR with the field emailAddress in the subject
>>>>>>> like :
>>>>>>>
>>>>>>> /C=FR/O=TESTO/OU=TESTOU/CN=*.example.com/emailAddress=none at none.com
>>>>>>>
>>>>>>
>>>>>> I am not a bit confused. Do you plan to have FreeIPA *without* a CA or
>>>>>> with own
>>>>>> CA signed by external CA?
>>>>>>
>>>>>> FreeIPA supports these kinds of setups right now:
>>>>>> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure
>>>>>>
>>>>>> How can I do with the ipa-server-install command ? I have been
>>>>>>> trying
>>>>>>>
>>>>>> for
>>>>>>
>>>>>>> few days but I still can't.
>>>>>>>
>>>>>>> Thanks for your help.
>>>>>>>
>>>>>>
>>>>>> CCing Honza who should know the definitive answer. However, FreeIPA
>>>>>> was
>>>>>>
>>>>> not
>>>>
>>>>> very flexible in configuring special subjects for it's CA certificate
>>>>>>
>>>>> (i.e.
>>>>
>>>>> cn=Certificate Authority, ou=...) or hosts in case of CA-less setup.
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>
> --
> Jan Cholasta
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150408/c6b0f53a/attachment.htm>
More information about the Freeipa-users
mailing list