[Freeipa-users] PKI signing certificate question

Anthony Clark anthonyclarka2 at gmail.com
Thu Jul 28 04:35:31 UTC 2016 

I personally haven't done this, but from https://www.freeipa.org/page/PKI

"when --external-ca option is used, ipa-server-install produces a
certificate certificate request for it's CA certificate so that it can be
properly chained in existing PKI infrastructure."

and from
https://www.redhat.com/archives/freeipa-users/2014-January/msg00057.html

"First run ipa-server-install with --external-ca, which will create a CSR
for IPA CA certificate in /root/ipa.csr. Then sign the CSR with the
external CA to get the IPA CA certificate. Finally, run ipa-server-install
with --external_cert_file pointing to the IPA CA certificate and
--external_ca_file pointing to CA certificate of the external CA."

>From that previous paragraph, it looks like the --external-ca option
doesn't actually install anything, just creates the correct CSR for the
domain you intend to create.

If you can create a temporary CentOS virtual machine you could run the
"ipa-server-install --external-ca" command and see what happens :)

Hope this helps,

Anthony Clark

On Wed, Jul 27, 2016 at 11:24 PM, William Muriithi <
william.muriithi at gmail.com> wrote:

> Hello
>
> I want to use an external certificate when setting up a new FreeIPA
> next week and plan to send the CSR tomorrow.
>
> I would like to source a certificate for example.com and use it on
> FreeIPA on eng.example.com.  I can't specifically set the FreeIPA on
> example.com because we have active directory on corp.example.com
>
> Is there a way for using FreeIPA with such a setup?  I am hoping that
> if I can setup FreeIPA using example.com, I can be able to generate
> certificates for both Windows and Linux plus other like
> vpn.example.com that don't sit well on either AD or FreeIPA domain.
>
> Whats the best way to approach this?  If not possible, would setting
> FreeIPA as a sub domain for active directory help?
>
> Regards,
>
> William
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160728/d677d615/attachment.htm>

More information about the Freeipa-users mailing list