[Freeipa-users] Changing the SSL certificate for the WebUI
Rob Crittenden
rcritten at redhat.com
Sat Jun 20 20:21:55 UTC 2015
Prashant Bapat wrote:
> I tried the steps documented on a test VM. Looks like I ended up in the
> situation described here
> https://www.redhat.com/archives/freeipa-users/2012-January/msg00045.html.
Please be careful when pointing back at old threads. This issue was
about expired certs. I suspect you found it because of a similar error
message, but the underlying cause is completely unrelated.
You probably just need to add in the CA cert that issued the server
certificate. I'd have thought that ipa-server-certinstall would enforce
that but perhaps not.
> I have one more question. Is there a way to disable HTTPS completely on
> the WebUI. I can add HTTPS on a load balancer in front of the UI to
> handle SSL.
It would be a rather terrible idea. You'd still have a lot of
in-the-clear messaging between the IPA web server and the load balancer.
I wouldn't recommend that there are real replay issues possible. You
should re-encrypt, so terminate SSL at the load balancer and then open a
new SSL session to IPA.
rob
>
>
>
> On 18 June 2015 at 19:03, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Prashant Bapat wrote:
>
> Hi All,
>
> There is a way to change the certificate for the web UI.
>
> I went with a standard install with a self signed CA etc. Now I
> want to
> install a cert from a commercial CA. I don't mind using the IPA
> CA certs
> for the 389 DS, just want to change the cert for the UI.
>
> Any pointers on how to do this ?
>
>
> http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>
>
More information about the Freeipa-users
mailing list