[Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates
Fraser Tweedale
ftweedal at redhat.com
Thu Jun 2 22:24:19 UTC 2016
On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wortman at damascusgrp.com wrote:
> Sorry, let me back up a step. We need to implement hype
> everywhere. All our web services. And clients need to get
> keys&certs automatically whether through IPA or Puppet. These
> systems use IPA for everything but authentication (to keep most
> users off). I'm trying to wuss out the easiest way to make this
> happen smoothly.
>
Hi Bret,
You can use the IPA CA to sign service certificates. See
http://www.freeipa.org/page/Certmonger#Request_a_new_certificate.
IPA-enrolled machines already have the IPA certificate in their
trust store. If the clients are IPA-enrolled, everything should
Just Work, otherwise you can distribute the IPA CA certificate to
clients via Puppet** or whatever means you prefer.
** you will have to work out how, because I do not know Puppet :)
Cheers,
Fraser
>
>
> On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden<rcritten at redhat.com>, wrote:
> > Bret Wortman wrote:
> > > Is it possible to use our freeipa CA as a trusted CA to sign our
> > > internal SSL certificates? Our system runs on a private network and so
> > > using the usual trusted sources isn't an option. We've been using
> > > self-signed, but that adds some additional complications and we thought
> > > this might be a good solution.
> > >
> > > Is it possible, and, since most online guides defer to "submit the CSR
> > > to Verisign" or whomever, how would you go about producing one in this way?
> >
> > Not sure I understand the question. The IPA CA is also self-signed. For
> > enrolled systems though at least the CA is pre-distributed so maybe that
> > will help.
> >
> > rob
> >
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list