[Freeipa-users] Replacing HTTP certs with public CA signed wildcard cert
Dmitri Pal
dpal at redhat.com
Tue May 19 22:13:50 UTC 2015
On 05/14/2015 10:15 AM, David Little wrote:
> Hi there,
>
> I was reading this document regarding using 3rd party certificates in
> FreeIPA:
>
> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>
> Which includes the information "The certificate in mysite.crt must be
> signed by the CA used when installing FreeIPA."
>
> Also this thread:
> http://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html
>
> Which says at the end " I'm wondering if it's because of this from the
> doc "The certificate in mysite.crt must be signed by the CA used when
> installing FreeIPA." but it might not either...
>
> In this case you should get a "file.p12 is not signed by
> /etc/ipa/ca.crt, or the full certificate chain is not
> present in the PKCS#12 file" error in ipa-server-certinstall."
>
> This brings me to my question... If I have an existing multi-server
> FreeIPA setup with multiple IPA client installations, using a
> self-signed CA certificate for /etc/ipa/ca.crt, would I need to start
> over the FreeIPA installation from scratch using the public root CA,
> which signed the wildcard certificate?
>
>
>
> Thanks,
> Dave
>
>
>
Did you get an answer?
If not starting 4.1 IPA has a tool that can change the chaining and also
convert from CA-less to CA-full. I am not sure it can do the reverse so
you might in fact have to start over.
http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150519/677b91f5/attachment.htm>
More information about the Freeipa-users
mailing list