[Freeipa-users] Need to replace cert for ipa servers

[Johnny Tan]

On Fri, Mar 13, 2015 at 2:15 PM, Dmitri Pal <dpal at redhat.com> wrote:

>  Rob would definitely know more but IPA mostly provides certs for the
> infra it serves and has a limited use of the certs by itself.
> So here is where I know it is used:
> - You can issue certs for hosts and services and installer used to create
> certs for host automatically though these certs are not used for anything
> and we decided not to create them automatically any more.
> - You need to trust IPA in browser so that you can do a forms based
> authentication if you do not have a kerberos ticket.
> - To issue certs we use Dogtag and Dogtag understands only cert based
> authentication so internally the communication between the managment
> framework and Dogtag uses SSL. This is actually why the host-del fails. The
> host had a cert issued by IPA CA so as part of the del operation it tries
> to revoke the cert but since you reconfigured the sustem to use be CA less
> it can't and fails.
>
> The communication between the LDAP servers is Kerberos authenticated.
>

I'll wait for Rob to weigh in, but wow, this would actually be huge for us
and probably a lot of other users. Because if the above is true (and
complete, I guess), then we could actually just run a CA-less FreeIPA
setup, and then generate certs specifically and only for the web (apache)
side, which is easy enough and we do it already for all other internal web
services. That limits cert-related stuff to just one web SSL cert per IPA
master.


> We have a special tool in Freeipa 4.2 to do this. The manual procedure is
> cumbersome and leads to issues like this.
>

Yeah, I saw that, but we are still doing 3.0 on CentOS6.6, which is why we
had to go down the manual path.

Thanks,
johnny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150313/6e9e89eb/attachment.htm>