[Freeipa-users] Using 3rd party certificates for HTTP/LDAP
Jan Cholasta
jcholast at redhat.com
Mon Jan 18 08:15:56 UTC 2016
On 18.1.2016 09:07, Martin Kosek wrote:
> On 01/15/2016 05:34 PM, Peter Pakos wrote:
>> On 15/01/2016 15:55, Rob Crittenden wrote:
>>>> I've re-run ipa-certupdate in verbose mode and I could see that it
>>>> removes all certificates in different databases (/etc/httpd/alias,
>>>> /etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-adds them (apart
>>>> from /etc/pki/pki-tomcat/alias).
>>>
>>> Yup, looks like this part is missing. Perhaps the assumption was that
>>> the CA would be authoritative in this regard.
>>
>> Is this a bug? Should this be logged somewhere so it can be looked into?
Yes, <https://fedorahosted.org/freeipa/ticket/5600>.
>>
>>> Updating the CA certs you'd want to add them to LDAP, replacing the
>>> older ones, and then ipa-certupdate will do the rest. You'd need to run
>>> this on all clients and servers.
>>
>> This sounds like a lot of manual work will be involved when it comes to renewal.
>>
>> And without clear and up-to-date information and possibly step-by-step
>> instructions the effort needed to get this sorted is doubled.
>>
>> Please note that it took us many hours to get a 3rd party SSL certificate
>> installed (you would think a very simple task). And the truth is that without
>> this mailing list and #freeipa channel we would still be stuck trying to get to
>> the bottom of this.
>>
>
> CCing Honza. Do we have all the respective tickets filed, so that we can
> improve and speed up the user experience?
There's <https://fedorahosted.org/freeipa/ticket/4322> for automatic CA
certificate distribution and
<https://fedorahosted.org/freeipa/ticket/4785> and
<https://fedorahosted.org/freeipa/ticket/4786> for
ipa-server-certinstall fixes.
If there's anything missing, pleaes file a new ticket.
--
Jan Cholasta
More information about the Freeipa-users
mailing list