[Freeipa-users] Automatic IPA CA cert generation
David Kupka
dkupka at redhat.com
Wed Sep 23 07:09:25 UTC 2015
On 22/09/15 17:02, James Masson wrote:
>
> Hi,
>
> we're building IPAs in an automated fashion, for environments that get
> created and destroyed a lot. At the moment, the CA certs used inside
> these IPAs are self-signed, as part of the normal "ipa-server-install"
> setup process.
>
> We would like to switch to issuing signed intermediate CA certs to the
> IPAs we deploy.
>
> The documentation lists the two part process necessary for this. First
> "--external-ca" - and then "--external-cert-file"
>
> Are there any ways to skip this, and give the setup process a known
> public/private key+cert up front? I'm hoping to avoid the need to have
> to use/send this automatically generated CSR every time.
>
> thanks
>
> James M
>
Hello James,
currently it's not possible but making installation with externally
signed CA single step sounds really useful to me.
Currently certmonger is generating the CSR for FreeIPA server in the
first step of installation. Certmonger is also able to send certificate
to external CA for signing.
I'm not sure if we could combine these two cermonger's abilities right
now but if not it shouldn't be difficult to add functionality to
certmonger to send the CSR to preconfigured CA instead of just storing
it in file.
This would of course require configuring the certmonger with information
about the CA before FreeIPA server installation but it's just one
command (getcert-add-ca).
Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)?
--
David Kupka
More information about the Freeipa-users
mailing list