[Freeipa-users] CA-less vs CA-ful FreeIPA 4.2 installation
Peter Pakos
peter at pakos.pl
Mon Jan 18 11:05:14 UTC 2016
On 18/01/2016 08:06, Martin Kosek wrote:
> I am hoping that this is well explained here:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-examples.html#install-ca-options
>
> Some useful notes are also Dmitri Pal's blog post:
> http://rhelblog.redhat.com/2015/06/02/identity-management-and-certificates/
Thanks for the docs.
I'm trying to get my head around this... if I have a working CA-ful
FreeIPA setup and then install 3rd party SSL certificates for HTTP/LDAP
only (including 3 root CA certs from the chain) - does this replace
original self-signed CA that FreeIPA generated (and becomes External CA
install) or does CA stay untouched and I can still take advantage of all
the goodies that come with CA-ful install like automatic certificates
renewals (apart from HTTP/LDAP ones)?
Or does this became a multi CA install?
BTW, I can see that the root certificates are getting added to
/etc/ipa/ca.crt.
>> I'm also thinking ahead, when it comes to renewing certificates when they
>> expire in 1 year time, which install type would cause less problems?
>
> In CA-ful installation, client certificates or FreeIPA CA subsystem
> certificates should just renew automatically. In CA-less, you need to take care
> to renew them manually with your 3rd party certificate provider.
So in my CA-ful install with 3rd party SSL certificate installed, how
would the renewal look?
I understand that I would have to install new HTTP/LDAP certificates
manually as they were signed by external CA, but would all certificates
issued by FreeIPA CA still renew automatically?
>> I've failed to find any useful info covering the above points, so if you know
>> anything, please just let me know.
>
> I think the important point is that even if you choose to install with CA-less
> for now, you can switch to CA-ful later via ipa-ca-install:
>
> http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion
Thank you, your help is much appreciated!
--
Kind regards,
Peter Pakos
More information about the Freeipa-users
mailing list