[Freeipa-users] CA-less vs CA-ful FreeIPA 4.2 installation
Martin Kosek
mkosek at redhat.com
Mon Jan 18 11:42:42 UTC 2016
On 01/18/2016 12:05 PM, Peter Pakos wrote:
> On 18/01/2016 08:06, Martin Kosek wrote:
>> I am hoping that this is well explained here:
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-examples.html#install-ca-options
>>
>>
>> Some useful notes are also Dmitri Pal's blog post:
>> http://rhelblog.redhat.com/2015/06/02/identity-management-and-certificates/
>
> Thanks for the docs.
>
> I'm trying to get my head around this... if I have a working CA-ful FreeIPA
> setup and then install 3rd party SSL certificates for HTTP/LDAP only (including
> 3 root CA certs from the chain) - does this replace original self-signed CA
> that FreeIPA generated (and becomes External CA install) or does CA stay
> untouched and I can still take advantage of all the goodies that come with
> CA-ful install like automatic certificates renewals (apart from HTTP/LDAP ones)?
>
> Or does this became a multi CA install?
>
> BTW, I can see that the root certificates are getting added to /etc/ipa/ca.crt.
You should be still able to benefit from all the goodies the CA-ful FreeIPA
has. As you noticed above, all root CA certs should be added to ca.crt (see
help for ipa-certupdate tool), it is used to update certs on server/client and
add the new CA certificates.
>>> I'm also thinking ahead, when it comes to renewing certificates when they
>>> expire in 1 year time, which install type would cause less problems?
>>
>> In CA-ful installation, client certificates or FreeIPA CA subsystem
>> certificates should just renew automatically. In CA-less, you need to take care
>> to renew them manually with your 3rd party certificate provider.
>
> So in my CA-ful install with 3rd party SSL certificate installed, how would the
> renewal look?
All certificates issued by FreeIPA CA should be renewed automatically by
certmonger (if configured). External certificates should needs to be renewed
manually. Honza, does certmonger already warns about non-IPA certificates that
are getting close to expiration date or is this rather an RFE for future?
> I understand that I would have to install new HTTP/LDAP certificates manually
> as they were signed by external CA, but would all certificates issued by
> FreeIPA CA still renew automatically?
They should, yes.
>>> I've failed to find any useful info covering the above points, so if you know
>>> anything, please just let me know.
>>
>> I think the important point is that even if you choose to install with CA-less
>> for now, you can switch to CA-ful later via ipa-ca-install:
>>
>> http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion
>
> Thank you, your help is much appreciated!
>
More information about the Freeipa-users
mailing list