[Freeipa-users] Install IPA Servers with third-party certificate(external CA)

Thu Sep 29 09:46:37 UTC 2016

Thanks for the quick response Florence!

My goal is the use a 3rd party certificate(such as Verisign cert) for Web
UI(company security requirement), in fact we are not required to use 3rd
party certificate for the LDAP server, but as I mentioned earlier, I
couldn't make the new Verisign cert to work with the Web UI, without
messing up the IPA function(after I updated the nss.conf to use the new
cert in the /etc/httpd/alias db, the ipa_client_install failed). So I tried
to follow the Redhat instruction, to see if I can get the Verisign cert
installed at the most beginning, without using FreeIPA's own/default
certificate), but I got the CSR question.

I did install IPA without a CA, by following the instruction at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP, but
failed to restart HTTPD. When and how can I provide the 3rd-party
certificate? Could you please point me a document about the detail? Thanks
again!

On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud <flo at redhat.com>
wrote:

> Hi,
>
> The instructions that you followed are used when you want to install
> FreeIPA with an embedded Certificate Authority (ie FreeIPA is able to issue
> certificates), and FreeIPA CA is signed by a 3rd party CA.
>
> Maybe your goal is just to use a 3rd party certificate for IPA's LDAP
> server and Web UI. In this case, you do not need to install FreeIPA with an
> embedded CA. You can follow the instructions for Installing without a CA
> [1], where you will need to provide a 3rd-part certificate.
>
> Hope this clarifies,
> Flo.
>
> [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
> Policy_Guide/install-server.html#install-server-without-ca
>
>
>
> On 09/29/2016 11:03 AM, beeth beeth wrote:
>
>> I am trying to set up IPA servers with Verisign certificate, so that the
>> Admin Web console can use public signed certificate to meet company's
>> security requirement. But when I try to follow Red Hat's instructions at
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
>> Policy_Guide/install-server.html#install-server-external-ca,
>>
>> 2.3.5. Installing a Server with an External CA as the Root CA,
>> at the first step it says to generate CSR by adding the --external-ca
>> option to the ipa-server-install utility, which does generate a CRS at
>> /root/ipa.csr. However, the ipa-server-install command in fact doesn't
>> ask for Distinguished Name (DN) or the organization info(like country,
>> state, etc.), which are required in the CSR. Without a valid CSR file, I
>> can't request for new Verisign certs. Did I miss something?
>>
>> Originally I once tried to change the default certificate for Apache(the
>> Web Admin console) ONLY to the Verisign one, by adding the certificates
>> to the /etc/httpd/alias database with the command:
>>   # ipa-server-certinstall -w --http_pin=test verisign.pk12
>> And updated the nss.conf for httpd, so that the new Nickname is used to
>> point to the Verisign certs. That worked well for the website. However,
>> the IPA client installation failed after that for the
>> "ipa-client-install":
>>
>> ERROR Joining realm failed: libcurl failed to execute the HTTP POST
>> transaction, explaining:  Peer's certificate issuer has been marked as
>> not trusted by the user.
>>
>> Even I tried to also update the certificate for the Directory
>> service(ipa-server-certinstall -d ... ), the client installation still
>> failed. I believe the new Verisign cert messed up the communication of
>> the IPA components. Then I am thinking to install the IPA server from
>> scratch with the Verisign cert, but then I hit the CSR problem described
>> above.
>>
>> Please advise. Thanks!
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160929/a50fe93e/attachment.htm>