[Freeipa-users] Replica with external ca + custom subject in certificate
James James
jreg2k at gmail.com
Fri Apr 10 07:45:01 UTC 2015
Thanks for your help.
James
2015-04-09 7:17 GMT+02:00 Jan Cholasta <jcholast at redhat.com>:
> Dne 8.4.2015 v 17:43 James James napsal(a):
>
>> It's a little bit more clear. Thanks.
>>
>> I have created a new ipa 4.1 replica but when I want run :
>>
>> # ipa-cacert-manage renew --self-signed
>>
>> I've got this message :
>>
>> [root at ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed
>> CA is not configured on this system
>>
>
> You can run ipa-cacert-manage only on IPA servers with CA installed.
>
>
>> If I want to install the CA I've got this message :
>>
>> [root at ipa-devel-centos7 system]# ipa-ca-install --password=mypassorwd -U
>> CA is already installed.
>>
>
> This command is used to install CA in CA-less IPA environment. The error
> message is a bit misleading and we have a ticket for that: <
> https://fedorahosted.org/freeipa/ticket/4492>.
>
>
>> Should I have to promote the replica to a standalone master before
>> installing the CA ?
>>
>
> You need to run ipa-ca-install with the replica info file used to create
> the replica to install the CA:
>
> # ipa-ca-install <path to replica info file>
>
>
>> Any hints will be appreciated...
>>
>>
>> James
>>
>>
>> 2015-04-08 7:27 GMT+02:00 Jan Cholasta <jcholast at redhat.com
>> <mailto:jcholast at redhat.com>>:
>>
>>
>> Dne 7.4.2015 v 15:31 Martin Kosek napsal(a):
>>
>> On 04/07/2015 02:08 PM, James James wrote:
>>
>> I will try to give a better explanation :
>>
>>
>> I have a CentOS 6.6 with ipa 3.0 named ipa-master.
>> ipa-master has been
>> installed with an external CA about 3 years ago and I will
>> have to renew
>> the certificate soon.
>>
>> I have created a test server (ipa-dev) with the same
>> configuration (centos
>> 6.6 and ipa 3.0) to test the renewal process. I want the new
>> ipa-dev sever
>> to be installed with an external CA.
>>
>> In the same time my external CA has changed and wants the
>> emailAddress
>> field in the certificate request 's subject.
>>
>>
>> CSR during installation with external CA is produced by Dogtag,
>> so you are
>> constrained with the options and capabilities provided by
>> ipa-server-install.
>> Maybe it would be possible to modify the CSR and update the
>> Subject manually,
>> but I expect it would crash the installer later (JanC may know
>> more (CCed))
>>
>>
>> The subject name identifies the CA in server (and other)
>> certificates. If you change it, you break the trust chain from the
>> CA certificate to the server certificates and that will break all
>> SSL in IPA.
>>
>>
>> If it is not possible to add emailAddress in the subject, is
>> it possible to
>> migrate my ipa-master CA system from an external CA to a
>> CA-less or
>> self-signed CA ?
>>
>>
>> It is, with ipa-cacert-manage - see links below.
>>
>>
>> You can change your external CA to self-signed CA in IPA 4.1 or
>> newer by running:
>>
>> # ipa-cacert-manage renew --self-signed
>>
>> You can't change external CA to CA-less.
>>
>>
>>
>> Thanks.
>>
>> 2015-04-07 13:48 GMT+02:00 Martin Kosek <mkosek at redhat.com
>> <mailto:mkosek at redhat.com>>:
>>
>> On 04/07/2015 01:44 PM, James James wrote:
>>
>> ok.
>>
>> Is there a way to migrate from an external CA to a
>> CA-less or a
>>
>> self-signed
>>
>> CA ?
>>
>>
>> Yes, you can use ipa-cacert-manage tool introduced in
>> FreeIPA 4.1.0:
>>
>> https://www.freeipa.org/page/_
>> _Howto/CA_Certificate_Renewal
>> <https://www.freeipa.org/page/
>> Howto/CA_Certificate_Renewal>
>> https://www.freeipa.org/page/__V4/CA_certificate_renewal
>> <https://www.freeipa.org/page/V4/CA_certificate_renewal>
>>
>> (Although I am still not sure about your use case and if
>> this would help
>> you)
>>
>>
>> 2015-04-07 12:51 GMT+02:00 Martin Kosek
>> <mkosek at redhat.com <mailto:mkosek at redhat.com>>:
>>
>> On 04/03/2015 11:39 AM, James James wrote:
>>
>> Hello,
>>
>> I want to initialize a new replica with an
>> external CA. My Certificate
>> Authority wants a CSR with the field
>> emailAddress in the subject like :
>>
>> /C=FR/O=TESTO/OU=TESTOU/CN=*.e
>> __xample.com/emailAddress=none at __none.com
>> <http://example.com/
>> emailAddress=none at none.com>
>>
>>
>> I am not a bit confused. Do you plan to have
>> FreeIPA *without* a CA or
>> with own
>> CA signed by external CA?
>>
>> FreeIPA supports these kinds of setups right now:
>> http://www.freeipa.org/page/__
>> PKI#Blending_in_PKI___infrastructure
>> <http://www.freeipa.org/page/PKI#Blending_in_PKI_
>> infrastructure>
>>
>> How can I do with the ipa-server-install
>> command ? I have been trying
>>
>> for
>>
>> few days but I still can't.
>>
>> Thanks for your help.
>>
>>
>> CCing Honza who should know the definitive
>> answer. However, FreeIPA was
>>
>> not
>>
>> very flexible in configuring special subjects
>> for it's CA certificate
>>
>> (i.e.
>>
>> cn=Certificate Authority, ou=...) or hosts in
>> case of CA-less setup.
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Jan Cholasta
>>
>>
>>
>
> --
> Jan Cholasta
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150410/92adf89e/attachment.htm>
More information about the Freeipa-users
mailing list