[Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates

bret.wortman at damascusgrp.com bret.wortman at damascusgrp.com
Thu Jun 2 23:25:53 UTC 2016 

Cool. I'll give this a go in the morning.

Bret Wortman
http://wrapbuddies.co/


On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale<ftweedal at redhat.com>, wrote:
> On Thu, Jun 02, 2016 at 05:35:01PM -0400, bret.wortman at damascusgrp.com wrote:
> > Sorry, let me back up a step. We need to implement hype
> > everywhere. All our web services. And clients need to get
> > keys&certs automatically whether through IPA or Puppet. These
> > systems use IPA for everything but authentication (to keep most
> > users off). I'm trying to wuss out the easiest way to make this
> > happen smoothly.
> > 
> Hi Bret,
> 
> You can use the IPA CA to sign service certificates. See
> http://www.freeipa.org/page/Certmonger#Request_a_new_certificate.
> 
> IPA-enrolled machines already have the IPA certificate in their
> trust store. If the clients are IPA-enrolled, everything should
> Just Work, otherwise you can distribute the IPA CA certificate to
> clients via Puppet** or whatever means you prefer.
> 
> ** you will have to work out how, because I do not know Puppet :)
> 
> Cheers,
> Fraser
> 
> > 
> > 
> > On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden<rcritten at redhat.com>, wrote:
> > > Bret Wortman wrote:
> > > > Is it possible to use our freeipa CA as a trusted CA to sign our
> > > > internal SSL certificates? Our system runs on a private network and so
> > > > using the usual trusted sources isn't an option. We've been using
> > > > self-signed, but that adds some additional complications and we thought
> > > > this might be a good solution.
> > > > 
> > > > Is it possible, and, since most online guides defer to "submit the CSR
> > > > to Verisign" or whomever, how would you go about producing one in this way?
> > > 
> > > Not sure I understand the question. The IPA CA is also self-signed. For
> > > enrolled systems though at least the CA is pre-distributed so maybe that
> > > will help.
> > > 
> > > rob
> > > 
> 
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160602/f2bd3618/attachment.htm>

More information about the Freeipa-users mailing list