[Freeipa-users] Automatic IPA CA cert generation

[Rob Crittenden]

David Kupka wrote:
> On 22/09/15 17:02, James Masson wrote:
>>
>> Hi,
>>
>> we're building IPAs in an automated fashion, for environments that get
>> created and destroyed a lot. At the moment, the CA certs used inside
>> these IPAs are self-signed, as part of the normal "ipa-server-install"
>> setup process.
>>
>> We would like to switch to issuing signed intermediate CA certs to the
>> IPAs we deploy.
>>
>> The documentation lists the two part process necessary for this. First
>> "--external-ca" - and then "--external-cert-file"
>>
>> Are there any ways to skip this, and give the setup process a known
>> public/private key+cert up front? I'm hoping to avoid the need to have
>> to use/send this automatically generated CSR every time.
>>
>> thanks
>>
>> James M
>>
> 
> Hello James,
> currently it's not possible but making installation with externally
> signed CA single step sounds really useful to me.
> Currently certmonger is generating the CSR for FreeIPA server in the
> first step of installation. Certmonger is also able to send certificate
> to external CA for signing.
> 
> I'm not sure if we could combine these two cermonger's abilities right
> now but if not it shouldn't be difficult to add functionality to
> certmonger to send the CSR to preconfigured CA instead of just storing
> it in file.
> 
> This would of course require configuring the certmonger with information
> about the CA before FreeIPA server installation but it's just one
> command (getcert-add-ca).
> 
> Could you please file a ticket
> (https://fedorahosted.org/freeipa/newticket)?
> 

Unless something has radically changed AFAIK dogtag generates its own
keys and certmonger simply tracks the cert it issues after-the-fact.
There may be room there to use certmonger with sub-CAs since those are
really just separate profiles, but for the initial install I don't
believe certmonger is used.

rob