[Freeipa-users] Need to replace cert for ipa servers

Dmitri Pal dpal at redhat.com
Fri Mar 13 19:42:16 UTC 2015 

On 03/13/2015 02:51 PM, Johnny Tan wrote:
> On Fri, Mar 13, 2015 at 2:15 PM, Dmitri Pal <dpal at redhat.com 
> <mailto:dpal at redhat.com>> wrote:
>
>     Rob would definitely know more but IPA mostly provides certs for
>     the infra it serves and has a limited use of the certs by itself.
>     So here is where I know it is used:
>     - You can issue certs for hosts and services and installer used to
>     create certs for host automatically though these certs are not
>     used for anything and we decided not to create them automatically
>     any more.
>     - You need to trust IPA in browser so that you can do a forms
>     based authentication if you do not have a kerberos ticket.
>     - To issue certs we use Dogtag and Dogtag understands only cert
>     based authentication so internally the communication between the
>     managment framework and Dogtag uses SSL. This is actually why the
>     host-del fails. The host had a cert issued by IPA CA so as part of
>     the del operation it tries to revoke the cert but since you
>     reconfigured the sustem to use be CA less it can't and fails.
>
>     The communication between the LDAP servers is Kerberos authenticated.
>
>
> I'll wait for Rob to weigh in, but wow, this would actually be huge 
> for us and probably a lot of other users. Because if the above is true 
> (and complete, I guess), then we could actually just run a CA-less 
> FreeIPA setup, and then generate certs specifically and only for the 
> web (apache) side, which is easy enough and we do it already for all 
> other internal web services. That limits cert-related stuff to just 
> one web SSL cert per IPA master.

This is up to you but that means you would not be able to deal with SSL 
for some other use cases down the road.
IPA 4.2 has a lot of new functionality to make it easier to issue and 
manage certificates for different use cases like: system provisioning, 
VPN, devices, wireless, PaaS/IaaS stacks that use certs for SSL 
internally etc. Going CA-less will prevent you from leveraging these 
capabilities once you realize they are needed down the road.

May be you would not need them but I would encourage you to look at this 
in a longer perspective than just immediate needs.


>     We have a special tool in Freeipa 4.2 to do this. The manual
>     procedure is cumbersome and leads to issues like this.
>

And to be correct it is in 4.1 and already released. Sorry for typo.
>
> Yeah, I saw that, but we are still doing 3.0 on CentOS6.6, which is 
> why we had to go down the manual path.
> Thanks,
> johnny
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150313/22be69aa/attachment.htm>

More information about the Freeipa-users mailing list