[Freeipa-users] Replica with external ca + custom subject in certificate

Thu Apr 9 05:17:40 UTC 2015

Dne 8.4.2015 v 17:43 James James napsal(a):
> It's a little bit more clear. Thanks.
>
> I have created a new ipa 4.1 replica but when I want run :
>
> # ipa-cacert-manage renew --self-signed
>
> I've got this message :
>
> [root at ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed
> CA is not configured on this system

You can run ipa-cacert-manage only on IPA servers with CA installed.

>
> If I want to install the CA I've got this message :
>
> [root at ipa-devel-centos7 system]# ipa-ca-install --password=mypassorwd -U
> CA is already installed.

This command is used to install CA in CA-less IPA environment. The error 
message is a bit misleading and we have a ticket for that: 
<https://fedorahosted.org/freeipa/ticket/4492>.

>
> Should I have to promote the replica to a standalone master before
> installing the CA ?

You need to run ipa-ca-install with the replica info file used to create 
the replica to install the CA:

     # ipa-ca-install <path to replica info file>

>
> Any hints will be appreciated...
>
>
> James
>
>
> 2015-04-08 7:27 GMT+02:00 Jan Cholasta <jcholast at redhat.com
> <mailto:jcholast at redhat.com>>:
>
>     Dne 7.4.2015 v 15:31 Martin Kosek napsal(a):
>
>         On 04/07/2015 02:08 PM, James James wrote:
>
>             I will try to give a better explanation :
>
>
>             I have a CentOS 6.6 with ipa 3.0 named ipa-master.
>             ipa-master has been
>             installed with an external CA about 3 years ago and I will
>             have to renew
>             the certificate soon.
>
>                I have created a test server (ipa-dev) with the same
>             configuration (centos
>             6.6 and ipa 3.0) to test the renewal process. I want the new
>             ipa-dev sever
>             to be installed with an external CA.
>
>             In the same time my external CA has changed and wants the
>             emailAddress
>             field in the certificate request 's subject.
>
>
>         CSR during installation with external CA is produced by Dogtag,
>         so you are
>         constrained with the options and capabilities provided by
>         ipa-server-install.
>         Maybe it would be possible to modify the CSR and update the
>         Subject manually,
>         but I expect it would crash the installer later (JanC may know
>         more (CCed))
>
>
>     The subject name identifies the CA in server (and other)
>     certificates. If you change it, you break the trust chain from the
>     CA certificate to the server certificates and that will break all
>     SSL in IPA.
>
>
>             If it is not possible to add emailAddress in the subject, is
>             it possible to
>             migrate my ipa-master CA system from an external CA to a
>             CA-less or
>             self-signed CA ?
>
>
>         It is, with ipa-cacert-manage - see links below.
>
>
>     You can change your external CA to self-signed CA in IPA 4.1 or
>     newer by running:
>
>          # ipa-cacert-manage renew --self-signed
>
>     You can't change external CA to CA-less.
>
>
>
>             Thanks.
>
>             2015-04-07 13:48 GMT+02:00 Martin Kosek <mkosek at redhat.com
>             <mailto:mkosek at redhat.com>>:
>
>                 On 04/07/2015 01:44 PM, James James wrote:
>
>                     ok.
>
>                     Is there a way to migrate from an external CA to a
>                     CA-less or a
>
>                 self-signed
>
>                     CA  ?
>
>
>                 Yes, you can use ipa-cacert-manage tool introduced in
>                 FreeIPA 4.1.0:
>
>                 https://www.freeipa.org/page/__Howto/CA_Certificate_Renewal
>                 <https://www.freeipa.org/page/Howto/CA_Certificate_Renewal>
>                 https://www.freeipa.org/page/__V4/CA_certificate_renewal
>                 <https://www.freeipa.org/page/V4/CA_certificate_renewal>
>
>                 (Although I am still not sure about your use case and if
>                 this would help
>                 you)
>
>
>                     2015-04-07 12:51 GMT+02:00 Martin Kosek
>                     <mkosek at redhat.com <mailto:mkosek at redhat.com>>:
>
>                         On 04/03/2015 11:39 AM, James James wrote:
>
>                             Hello,
>
>                             I want to initialize a new replica with an
>                             external CA. My Certificate
>                             Authority wants a CSR with the field
>                             emailAddress in the subject like :
>
>                             /C=FR/O=TESTO/OU=TESTOU/CN=*.e__xample.com/emailAddress=none at __none.com
>                             <http://example.com/emailAddress=none@none.com>
>
>
>                         I am not a bit confused. Do you plan to have
>                         FreeIPA *without* a CA or
>                         with own
>                         CA signed by external CA?
>
>                         FreeIPA supports these kinds of setups right now:
>                         http://www.freeipa.org/page/__PKI#Blending_in_PKI___infrastructure
>                         <http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure>
>
>                                How can I do with the ipa-server-install
>                             command ?  I have been trying
>
>                         for
>
>                             few days but I still can't.
>
>                             Thanks for your help.
>
>
>                         CCing Honza who should know the definitive
>                         answer. However, FreeIPA was
>
>                 not
>
>                         very flexible in configuring special subjects
>                         for it's CA certificate
>
>                 (i.e.
>
>                         cn=Certificate Authority, ou=...) or hosts in
>                         case of CA-less setup.
>
>
>
>
>
>
>
>
>     --
>     Jan Cholasta
>
>

-- 
Jan Cholasta