[Freeipa-users] FreeIPA SSL certificates installed to multiple hosts
Rob Crittenden
rcritten at redhat.com
Tue Jul 19 20:29:28 UTC 2016
Jeremy Utley wrote:
> Hello all!
>
> We're looking at replacing a lot of our currently self-signed internal
> SSL certificates in our infrastructure with certificates generated by
> the FreeIPA CA. However, I've run into something that I haven't been
> able to find documented as of yet, and I'm hoping some of you can point
> me in the right direction. Some of our internal SSL sites are
> load-balanced between multiple hosts, so we end up with the same SSL/Key
> installed to each host. For example:
>
> hostname.domain.com <http://hostname.domain.com> is hosted on hostA and
> hostB.
>
> Both hostA and hostB have the certs at
> /etc/httpd/certs/hostname.domain.com/hostname.crt
> <http://hostname.domain.com/hostname.crt>, and the private key at
> /etc/httpd/certs/hostname.domain.com/hostname.key
> <http://hostname.domain.com/hostname.key>
>
> I would expect I can have both hostA and hostB be able to work with the
> FreeIPA certificates by adding additional ipa host-add-managedby and ipa
> service-add-host commands, to specify both hostA and hostB. However,
> from my understanding, running the "ipa-getcert request" command on
> hostA will put the certs on hostA only, and I'd need the same certs on
> both hostA and hostB. Is there a special ipa-getcert incantation that
> can retrieve the already-issued certificate files, and allow them to be
> managed by FreeIPA on both hosts? Or is there another recommended way
> of doing this?
>
> Thanks for any info you can give me!
>
IPA doesn't have any provision for sharing keys between machines. I
think you'd need to manage it similar to the way you probably do now:
manually copying files around.
What you can do is setup one machine to "own" the certs and keys and do
the renewals via certmonger, but beyond that you're on your own.
rob
More information about the Freeipa-users
mailing list