[Freeipa-users] Need to replace cert for ipa servers

[Johnny Tan]

On Fri, Mar 13, 2015 at 4:44 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> The CA-less install was improved in IPA 3.3. It can sorta work in 3.0
> but it will be bumpy. A number of bugs were fixed in
> ipa-server-certinstall, the tool used to replace the IPA certs with
> user-provided certs. Or you can pass in PKCS#12 files during the install
> but the root CA is implicit in that case so you need to be careful in
> creating the file.
>
> You still need an SSL cert for LDAP as well. SSL is used to bootstrap
> replication when a new master is set up. When that is done the agreement
> is converted to using GSSAPI.
>

Aha, I was about to ask about this since a CA-less install still requires
dirsrv cert. Thanks.


> The clients (depending on version) will still ask for a host cert on
> install but it is generally treated as a non-fatal error if one isn't
> obtained.
>

Was also going to ask about this since the v3 CA-less wiki page mentions
the need to obtain host certs but is not very clear about what it was used
for.


> Otherwise it should work, but as Dmitri points out you are limiting
> yourself upgrade-wise. The only migration paths from one version of IPA
> to another is replication, in which case you still wouldn't be able to
> add a CA, or via the LDAP migration routines which only migrate users
> and groups currently.
>

Not being able to do the upgrade easily will definitely be a showstopper.
Ok, I'm going to go back to attempting to sign the IPA CA with our own,
then, and I'll open a separate thread if that doesn't work. I may just
start from scratch with that.

Thank you Dmitri and Rob for the clear/concise info.

johnny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150313/a1053719/attachment.htm>