[Freeipa-users] Need to replace cert for ipa servers
Johnny Tan
johnnydtan at gmail.com
Fri Mar 13 21:06:14 UTC 2015
On Fri, Mar 13, 2015 at 4:44 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> The CA-less install was improved in IPA 3.3. It can sorta work in 3.0
> but it will be bumpy. A number of bugs were fixed in
> ipa-server-certinstall, the tool used to replace the IPA certs with
> user-provided certs. Or you can pass in PKCS#12 files during the install
> but the root CA is implicit in that case so you need to be careful in
> creating the file.
>
> You still need an SSL cert for LDAP as well. SSL is used to bootstrap
> replication when a new master is set up. When that is done the agreement
> is converted to using GSSAPI.
>
Aha, I was about to ask about this since a CA-less install still requires
dirsrv cert. Thanks.
> The clients (depending on version) will still ask for a host cert on
> install but it is generally treated as a non-fatal error if one isn't
> obtained.
>
Was also going to ask about this since the v3 CA-less wiki page mentions
the need to obtain host certs but is not very clear about what it was used
for.
> Otherwise it should work, but as Dmitri points out you are limiting
> yourself upgrade-wise. The only migration paths from one version of IPA
> to another is replication, in which case you still wouldn't be able to
> add a CA, or via the LDAP migration routines which only migrate users
> and groups currently.
>
Not being able to do the upgrade easily will definitely be a showstopper.
Ok, I'm going to go back to attempting to sign the IPA CA with our own,
then, and I'll open a separate thread if that doesn't work. I may just
start from scratch with that.
Thank you Dmitri and Rob for the clear/concise info.
johnny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150313/a1053719/attachment.htm>
More information about the Freeipa-users
mailing list