[Freeipa-users] Using our IPA CA as a trusted CA to sign ssl certificates
Bret Wortman
bret.wortman at damascusgrp.com
Fri Jun 3 11:36:53 UTC 2016
So for our internal yum server, I created a new key and cert request (it
had a localhost key and cert but I wanted to start clean):
# openssl genrsa 2048 > /etc/pki/tls/private/server.key
# openssl req -new -x509 -nodes -sha1 -days 365 -key
/etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt
# ipa-getcert request -f /etc/pki/tls/certs/server.crt -k
/etc/pki/tls/private/server.key -r
ipa-getcert list shows it approved. I set up SSL in apache to use the
above .key and .crt, but when I try to run yum against this using ssl:
# yum search ffmpeg
Loaded plugins: langpacks
https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml:
[Errno 14] curl#60 - "Peer's certificate issuer has been marked as
not trusted by the user."
:
Is there a step I need to take on the clients so they'll accept this
cert as trusted? I thought having it be signed by the IPA CA would have
taken care of that.
# ls -l /etc/ipa/ca.crt
-rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt
#
---
Bret
On 06/02/2016 07:25 PM, bret.wortman at damascusgrp.com wrote:
> Cool. I'll give this a go in the morning.
>
> Bret Wortman
> http://wrapbuddies.co/
>
> On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale <ftweedal at redhat.com>,
> wrote:
>> On Thu, Jun 02, 2016 at 05:35:01PM -0400,
>> bret.wortman at damascusgrp.com wrote:
>>> Sorry, let me back up a step. We need to implement hype
>>> everywhere. All our web services. And clients need to get
>>> keys&certs automatically whether through IPA or Puppet. These
>>> systems use IPA for everything but authentication (to keep most
>>> users off). I'm trying to wuss out the easiest way to make this
>>> happen smoothly.
>>>
>> Hi Bret,
>>
>> You can use the IPA CA to sign service certificates. See
>> http://www.freeipa.org/page/Certmonger#Request_a_new_certificate.
>>
>> IPA-enrolled machines already have the IPA certificate in their
>> trust store. If the clients are IPA-enrolled, everything should
>> Just Work, otherwise you can distribute the IPA CA certificate to
>> clients via Puppet** or whatever means you prefer.
>>
>> ** you will have to work out how, because I do not know Puppet :)
>>
>> Cheers,
>> Fraser
>>
>>>
>>>
>>> On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden<rcritten at redhat.com>,
>>> wrote:
>>>> Bret Wortman wrote:
>>>>> Is it possible to use our freeipa CA as a trusted CA to sign our
>>>>> internal SSL certificates? Our system runs on a private network and so
>>>>> using the usual trusted sources isn't an option. We've been using
>>>>> self-signed, but that adds some additional complications and we
>>>>> thought
>>>>> this might be a good solution.
>>>>>
>>>>> Is it possible, and, since most online guides defer to "submit the CSR
>>>>> to Verisign" or whomever, how would you go about producing one in
>>>>> this way?
>>>>
>>>> Not sure I understand the question. The IPA CA is also self-signed. For
>>>> enrolled systems though at least the CA is pre-distributed so maybe
>>>> that
>>>> will help.
>>>>
>>>> rob
>>>>
>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160603/8e64e85b/attachment.htm>
More information about the Freeipa-users
mailing list