[Freeipa-users] Automatic IPA CA cert generation
James Masson
james.masson at jmips.co.uk
Wed Sep 23 10:16:27 UTC 2015
On 23/09/15 11:03, Fraser Tweedale wrote:
> On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote:
>> On 22/09/15 17:02, James Masson wrote:
>>>
>>> Hi,
>>>
>>> we're building IPAs in an automated fashion, for environments that get
>>> created and destroyed a lot. At the moment, the CA certs used inside
>>> these IPAs are self-signed, as part of the normal "ipa-server-install"
>>> setup process.
>>>
>>> We would like to switch to issuing signed intermediate CA certs to the
>>> IPAs we deploy.
>>>
>>> The documentation lists the two part process necessary for this. First
>>> "--external-ca" - and then "--external-cert-file"
>>>
>>> Are there any ways to skip this, and give the setup process a known
>>> public/private key+cert up front? I'm hoping to avoid the need to have
>>> to use/send this automatically generated CSR every time.
>>>
>>> thanks
>>>
>>> James M
>>>
>>
>> Hello James,
>> currently it's not possible but making installation with externally signed
>> CA single step sounds really useful to me.
>> Currently certmonger is generating the CSR for FreeIPA server in the first
>> step of installation. Certmonger is also able to send certificate to
>> external CA for signing.
>>
>> I'm not sure if we could combine these two cermonger's abilities right now
>> but if not it shouldn't be difficult to add functionality to certmonger to
>> send the CSR to preconfigured CA instead of just storing it in file.
>>
>> This would of course require configuring the certmonger with information
>> about the CA before FreeIPA server installation but it's just one command
>> (getcert-add-ca).
>>
>> Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)?
>>
> There are two sides to this - one is using Certmonger for automatic
> signing of intermediate CA certificate to be used by IPA, the other
> is simply using a CA cert that the administrator already possesses,
> e.g. in a PKCS #12 file. These should be separate tickets.
>
> Cheers,
> Fraser
>
>> --
>> David Kupka
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
Done -
https://fedorahosted.org/freeipa/ticket/5317
https://fedorahosted.org/freeipa/ticket/5318
Would it be possible to use Certmonger to help the 2 step process used
at the moment?
ie. run 'ipa-server-install' the first time - get the CSR
use local Certmonger to handle the CSR submission to upstream CA
use the resulting Cert in the second 'ipa-server-install'
Any pointers?
regards
James M
More information about the Freeipa-users
mailing list