[Freeipa-users] Adding external CA
Martin Kosek
mkosek at redhat.com
Thu Mar 12 14:40:49 UTC 2015
On 03/12/2015 12:48 PM, crony wrote:
> Thank you David, I'll check it out.
>
> 2015-03-12 12:36 GMT+01:00 David Kupka <dkupka at redhat.com>:
>
>> On 03/12/2015 10:37 AM, crony wrote:
>>
>>> Hi FreeIPA Users,
>>> I have a fresh new FreeIPA 4.1 on RHEL7.1 with self-sign CA and I would
>>> like to change the self-sign CA to the external CA
>>>
>>> Do you have any step by step document for do it correctly on 4.1 version?
>>>
>>> /lm
>>>
>>>
>>>
>>>
>> Hello!
>>
>> I'm not aware of this being documented but fortunately this can be done in
>> 3 easy steps:
>>
>> 1. # ipa-cacert-manage renew --external-ca
>> 2. Let CA of your choice sing the CRL produced in step 1.
>> 3. # ipa-cacert-manage renew --external-cert-file=/path/to/signed_certificate
>> --external-cert-file=/path/to/external_ca_certificate
Some documentation can be found in RHEL guide:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/cas.html#change-cert-chaining
There is also upstream design page:
http://www.freeipa.org/page/V4/CA_certificate_renewal
But in general, David was right. You would just need to do one more step if you
had FreIPA clients already enrolled - call ipa-certupdate on them.
Martin
More information about the Freeipa-users
mailing list