[Freeipa-users] [Import existing CA Cert]

Fraser Tweedale ftweedal at redhat.com
Wed Sep 23 09:59:46 UTC 2015 

On Wed, Sep 23, 2015 at 09:07:31AM +0200, Martin Kosek wrote:
> On 09/22/2015 12:41 PM, Michael Anderson wrote:
> > Hi All,
> > 
> > we're evaluation freeipa/dogtag as a pki management service and hoping to
> > replace our existing menagerie of bash/openssl scripts. I'm trying to establish
> > a migration path for our existing pki solution and have a few questions:
> 
> Hi Michael,
> 
> Before you continue with the project, please keep in mind that FreeIPA PKI
> capabilities are bound to the FreeIPA objects - i.e. users, hosts or services.
> It does not allow you to generate completely random certificates (at the moment).
> 
> > * how can I import and use our existing CA signing cert?
> > * can I import existing server certs and keys?
> 
> Could you create FreeIPA server CA as subordinate CA to your current CA? To me,
> it seems the easiest way as I do not think we have some nice CLIs to inject
> existing CA cert+key to FreeIPA/Dogtag. CCing Jan and Fraser to see if they
> have an idea.
> 
Indeed, there does not seem to be a supported way to do this but you
are not the only one asking for it (another thread on freeipa-users
today asks the same question).  So it is worth filing a ticket if
there is not one already.

For a workaround, you could probably do it by overwriting a keypair
in the nssdb in between step 1 and step 2 of ipa-server-install; it
is a nasty hack and I have not tried it, but it is my only idea
right now.

> More here:
> http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure
> 
> > * I'm using Fedora22. When I install dogtag-pki, the user page for submitting
> > csr's is available. But when I install the freeipa package, I get a 404 when
> > attempting to access the page. Is this functionality available in freeipa?
> 
> When PKI is configured as part of FreeIPA, FreeIPA takes control of requesting
> and passing the certificates from/to user. I think the Dogtag UI should be
> still somehow accessible, but is not the supported way.
> 
It should be accessible on ports 8080 / 8443, i.e.
https://your.domain:8443/ca/ee/ca.  The full power of Dogtag is
available to you, but as stated it is not the supported way, and if
FreeIPA itself does not solve your certifiate use cases, please make
sure we know about them so we can determine whether we should
support it in FreeIPA directly.

Cheers,
Fraser

> FreeIPA itself can accept CSRs via cert-request CLI command or Web UI page, or
> via certmonger (man ipa-getcert) component that even renews the certificate.
> 
> BTW, what version of FreeIPA are you using? FreeIPA 4.2 provides much more PKI
> related capabilities than older versions, for beginning Certificate Profiles,
> which are a must if you do not want to use just single fixed cert profile.
> 
> More here:
> http://www.freeipa.org/page/Releases/4.2.0
> 
> Martin

More information about the Freeipa-users mailing list