[Freeipa-users] Automatic IPA CA cert generation
Fraser Tweedale
ftweedal at redhat.com
Thu Sep 24 00:20:14 UTC 2015
On Wed, Sep 23, 2015 at 11:16:27AM +0100, James Masson wrote:
>
> On 23/09/15 11:03, Fraser Tweedale wrote:
> >On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote:
> >>On 22/09/15 17:02, James Masson wrote:
> >>>
> >>>Hi,
> >>>
> >>>we're building IPAs in an automated fashion, for environments that get
> >>>created and destroyed a lot. At the moment, the CA certs used inside
> >>>these IPAs are self-signed, as part of the normal "ipa-server-install"
> >>>setup process.
> >>>
> >>>We would like to switch to issuing signed intermediate CA certs to the
> >>>IPAs we deploy.
> >>>
> >>>The documentation lists the two part process necessary for this. First
> >>>"--external-ca" - and then "--external-cert-file"
> >>>
> >>>Are there any ways to skip this, and give the setup process a known
> >>>public/private key+cert up front? I'm hoping to avoid the need to have
> >>>to use/send this automatically generated CSR every time.
> >>>
> >>>thanks
> >>>
> >>>James M
> >>>
> >>
> >>Hello James,
> >>currently it's not possible but making installation with externally signed
> >>CA single step sounds really useful to me.
> >>Currently certmonger is generating the CSR for FreeIPA server in the first
> >>step of installation. Certmonger is also able to send certificate to
> >>external CA for signing.
> >>
> >>I'm not sure if we could combine these two cermonger's abilities right now
> >>but if not it shouldn't be difficult to add functionality to certmonger to
> >>send the CSR to preconfigured CA instead of just storing it in file.
> >>
> >>This would of course require configuring the certmonger with information
> >>about the CA before FreeIPA server installation but it's just one command
> >>(getcert-add-ca).
> >>
> >>Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)?
> >>
> >There are two sides to this - one is using Certmonger for automatic
> >signing of intermediate CA certificate to be used by IPA, the other
> >is simply using a CA cert that the administrator already possesses,
> >e.g. in a PKCS #12 file. These should be separate tickets.
> >
> >Cheers,
> >Fraser
> >
> >>--
> >>David Kupka
> >>
> >>--
> >>Manage your subscription for the Freeipa-users mailing list:
> >>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>Go to http://freeipa.org for more info on the project
>
> Done -
>
> https://fedorahosted.org/freeipa/ticket/5317
> https://fedorahosted.org/freeipa/ticket/5318
>
> Would it be possible to use Certmonger to help the 2 step process used at
> the moment?
>
> ie. run 'ipa-server-install' the first time - get the CSR
> use local Certmonger to handle the CSR submission to upstream CA
> use the resulting Cert in the second 'ipa-server-install'
>
> Any pointers?
>
> regards
>
> James M
>
I don't see an option for certmonger to use an existing CSR but you
could ask it to create and track a new CSR for the same key. See
getcert-request(1) for full details.
Cheers,
Fraser
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list