[Freeipa-users] CA-less vs CA-ful FreeIPA 4.2 installation
Jan Cholasta
jcholast at redhat.com
Tue Feb 9 06:34:31 UTC 2016
Hi Peter,
On 9.2.2016 00:26, Peter Pakos wrote:
> Hi,
>
> I now have a CA-less installation of FreeIPA 4.2 which seems to be
> working OK.
>
> The initial server was installed with the following command:
>
> ipa-server-install \
> -U \
> -r IPA.WANDISCO.COM \
> -n ipa.wandisco.com \
> -p '********' \
> -a '********' \
> --mkhomedir \
> --setup-dns \
> --no-forwarders \
> --no-dnssec-validation \
> --dirsrv-cert-file=/root/ssl/GandiWildcardIPA.pfx \
> --dirsrv-pin='********' \
> --http-cert-file=/root/ssl/GandiWildcardIPA.pfx \
> --http-pin='********' \
> --dirsrv-cert-name=GandiWildcardIPA \
> --http-cert-name=GandiWildcardIPA \
> --idstart=1100 \
> --ca-cert-file=/root/ssl/star.ipa.wandisco.com.crt
>
> Both LDAP and HTTP certificates are correctly installed.
>
> My question is, how do I renew LDAP/HTTP certificates?
>
> I'm struggling to find a step-by-step instructions on how to do this
> without breaking anything.
>
> This is one of the last tests I need to perform before moving this
> FreeIPA setup into production.
>
> Any info is greatly appreciated.
>
Currently you have to manually replace the certificates once you
manually renew them with your CA.
To replace the certificates, follow the guide I posted a month ago:
<https://www.redhat.com/archives/freeipa-users/2016-January/msg00023.html>.
Honza
--
Jan Cholasta
More information about the Freeipa-users
mailing list