[Freeipa-users] how to chain CA certs

Sean Conley - US sconley at caci.com
Tue Nov 3 17:30:03 UTC 2015 

Not sure if I should start a new thread for this, but...

I am now trying to follow the instructions given in this thread:
https://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html. I
think this configuration should work well with our deployment strategy.

I feel like I am following the steps exactly but always end up with "full
certificate chain is not present in /etc/ipa/pki/example.org.p12² during
ipa-server-install.  Have others followed this process more recently?  I
am wondering if there might have been any changes so that these steps no
longer work, or possibly there is an easier way to do this now.

I am running version: ipa-server-4.1.0-18.el7.centos.4.x86_64.


On 11/1/15, 10:40 PM, "Fraser Tweedale" <ftweedal at redhat.com> wrote:

>On Mon, Nov 02, 2015 at 01:29:48AM +0000, Sean Conley - US wrote:
>> Hello,
>> 
>> I am new to FreeIPA and am attempting to stand up my first
>> operational instance.  We do have a commercial wildcard
>> certificate (*.internal.example.org) that should cover the IPA
>> server itself (ipa.internal.example.org).  I used the -external-CA
>> option when running the setup and so a CSR was generated.  Since
>> we have a wildcard cert, I wasn't sure if I really need to submit
>> the CSR to our PKI vendor.  At the same time, it's not clear to me
>> through searching documents how I would extend the CA chain.  Do I
>> need to submit that CSR or is there a way for me to do this on my
>> own?
>> 
>Welcome to FreeIPA :)
>
>If you have a relationship with a Certificate Authority willing to
>sign an intermediate CA certificate for you, then you can use the
>--external-ca option, submit the generate CSR to your CA and once
>you receive your signed CA certificate, continue ipa-server-install.
>
>For a publicly-trusted intermediate CA cert, you are probably
>looking at $10,000s or $100,000s in fees, infrastructure and
>compliance costs to achieve this.  Public CAs much prefer to keep
>you coming back to them for publicly trusted certificates :)
>
>If you already have some internal CA for your organisation, you can
>use it to sign the CSR.
>
>Otherwise, you can install FreeIPA with its own root CA (this is the
>default).
>
>HTH,
>Fraser
>
>> Any assistance is much appreciated.
>> 
>> Sean
>> 
>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list