[Freeipa-users] Need to replace cert for ipa servers

Fri Mar 13 17:47:04 UTC 2015

On Wed, Mar 4, 2015 at 5:56 PM, Dmitri Pal <dpal at redhat.com> wrote:

> IPA does not use certs for communication between the instances. It uses
> Kerberos. I am not sure the DoDaddy cert you added is even used in some way
> by IPA.
>

Dmitri or Rob:

Could you explain what the various uses of the IPA certs are, then? AFAICT,
the IPA masters generate a certificate for each node in the realm. Why does
it do that? I thought it was for:
- Webui/api (apache) communication over https.
- LDAP binding/communication over 636 (TLS).

But if the certs are not utilized for communication between the instances
(per statement above), what are they used for?

I'm not hijacking the thread, I'm actually in the exact same position as
OP. I replaced the self-signed IPA/dogtag CA root with one that was signed
by our own CA and am now having problems with various cert errors during
client enrollment or any other similar activity (like doing an 'ipa host-del'
directly on an IPA master).

I can post those details in a separate thread, but before I go down that
path, I want to better understand what the purpose of the certs are so I
can deterine what's the best path forward for us.

As I understand it from the docs, there are three primary ways to run IPA with
respect to a CA:
- self-signed IPA CA, this is the default
- signing the IPA CA root with an "external"/3rd-party CA
- running "CA-less" and providing all certs with the
external/3rd-party CA (depending
on what the use/purpose of the certs are, this is increasingly becoming an
attractive option but is likely also tedious in its own right)

Thanks for any insight.

On Wed, Mar 4, 2015 at 5:56 PM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 03/04/2015 04:32 PM, sipazzo wrote:
>
>  Good afternoon, we have a freeipa 3.0.42 installation running on redhead
> 6.6 with a mix of rhel 5, rhel6 and Solaris clients. It was originally
> configured with the built in dogtag certificate CA and then one of my
> co-workers added our GoDaddy certificate to the certificate bundle. My
> understanding is this cert is used for communication between the ipa
> servers as well as the clients are also configured to trust the GoDaddy
> certificate. We recently had to get a new GoDaddy cert so our old one is
> revoked. I need to figure out how to either replace the existing revoked
> cert with the new one or add the new one to the bundle and then remove the
> revoked certificate so as not to break anything.
>
>  Any help is appreciated. I am not strong with certificates so the more
> detail you can give the better.
> Thank you.
>
>
>  You say it was running with the self signed IPA CA and than GoDaddy cert
> was added to the bundle. How was it added?
> IPA does not use certs for communication between the instances. It uses
> Kerberos. I am not sure the DoDaddy cert you added is even used in some way
> by IPA.
> It seems that your GoDaddy cert is an orthogonal trust so if you replaced
> the main key pair then you just need to distribute your new GoDaddy cert to
> the clients as you did on the first place.
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150313/1bf5f975/attachment.htm>