[Freeipa-users] using wildcard cert from external CA
Rob Crittenden
rcritten at redhat.com
Tue Nov 3 19:05:56 UTC 2015
Sean Conley - US wrote:
> Sorry for the redundancy but I thought it would be better to start a new
> thread since I am really asking a different question at this point.
>
> We are trying to stand up an IPA instance using real certs (wildcard)
> for our domain, so that external users get a valid cert when coming the
> the https UI. I am trying to follow the steps given in this
> thread: https://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html.
> It seems no matter what I do, I end up with: “full certificate chain is
> not present in /etc/ipa/pki/example.org.p12”. Has this process been
> documented more completely anywhere? Is this still a valid process?
>
> I know that there is now an —external-ca option to ipa-server-install,
> but I have questions about the CSR process from my CA and they are not
> being very responsive. I have also been told that this option would
> require a reseller arrangement potentially costing a lot of money
we
> don’t want to be in the CA business
we just want our external users to
> be able to securely access IPA.
>
> Thanks again in advance for any assistance.
I think you misunderstand what the external-ca option does. This
generates a CSR that you hand off to an external CA which issues a
subordinate CA certificate. This isn't what you want AFAICT.
Start reading here
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-ca-options.html
and it sounds like this is the configuration you want:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-ca-options.html#install-ca-less
rob
More information about the Freeipa-users
mailing list