[Freeipa-users] CA-less vs CA-ful FreeIPA 4.2 installation

Peter Pakos peter at pakos.pl
Mon Jan 18 11:05:14 UTC 2016 

On 18/01/2016 08:06, Martin Kosek wrote:
> I am hoping that this is well explained here:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-examples.html#install-ca-options
>
> Some useful notes are also Dmitri Pal's blog post:
> http://rhelblog.redhat.com/2015/06/02/identity-management-and-certificates/

Thanks for the docs.

I'm trying to get my head around this... if I have a working CA-ful 
FreeIPA setup and then install 3rd party SSL certificates for HTTP/LDAP 
only (including 3 root CA certs from the chain) - does this replace 
original self-signed CA that FreeIPA generated (and becomes External CA 
install) or does CA stay untouched and I can still take advantage of all 
the goodies that come with CA-ful install like automatic certificates 
renewals (apart from HTTP/LDAP ones)?

Or does this became a multi CA install?

BTW, I can see that the root certificates are getting added to 
/etc/ipa/ca.crt.

>> I'm also thinking ahead, when it comes to renewing certificates when they
>> expire in 1 year time, which install type would cause less problems?
>
> In CA-ful installation, client certificates or FreeIPA CA subsystem
> certificates should just renew automatically. In CA-less, you need to take care
> to renew them manually with your 3rd party certificate provider.

So in my CA-ful install with 3rd party SSL certificate installed, how 
would the renewal look?

I understand that I would have to install new HTTP/LDAP certificates 
manually as they were signed by external CA, but would all certificates 
issued by FreeIPA CA still renew automatically?

>> I've failed to find any useful info covering the above points, so if you know
>> anything, please just let me know.
>
> I think the important point is that even if you choose to install with CA-less
> for now, you can switch to CA-ful later via ipa-ca-install:
>
> http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion

Thank you, your help is much appreciated!

-- 
Kind regards,
  Peter Pakos

More information about the Freeipa-users mailing list