[Freeipa-users] Install IPA Servers with third-party certificate(external CA)
Florence Blanc-Renaud
flo at redhat.com
Thu Sep 29 10:03:52 UTC 2016
On 09/29/2016 11:43 AM, beeth beeth wrote:
> Thanks for the quick response Florence!
>
> My goal is the use a 3rd party certificate(such as Verisign cert) for
> Web UI(company security requirement), in fact we are not required to use
> 3rd party certificate for the LDAP server, but as I mentioned earlier, I
> couldn't make the new Verisign cert to work with the Web UI, without
> messing up the IPA function(after I updated the nss.conf to use the new
> cert in the /etc/httpd/alias db, the ipa_client_install failed). So I
> tried to follow the Redhat instruction, to see if I can get the Verisign
> cert installed at the most beginning, without using FreeIPA's
> own/default certificate), but I got the CSR question.
>
> I did install IPA without a CA, by following the instruction at
> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP,
> but failed to restart HTTPD. When and how can I provide the 3rd-party
> certificate? Could you please point me a document about the detail?
Hi,
you need first to clarify if you want FreeIPA to act as a CA or not. The
setup will depend on this choice.
- option a) FreeIPA with an embedded CA:
you can install FreeIPA with a self-signed CA, then follow the
instructions at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
in order to replace the WebUI certificate. Please note that there were
some bugs in ipa-server-certinstall, preventing httpd from starting
(Ticket #4786 [1]). The workaround is to manually update nss.conf (as
you did) and manually import the CA certificate into
/etc/pki/pki-tomcat/alias, for instance with
$ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname -t C,,
- option b) Free IPA without CA
the installation instructions are in Installing without a CA [2]. You
will provide the certificate that will be used by both the LDAP server
and the WebUI in the command options.
HTH,
Flo.
[1] https://fedorahosted.org/freeipa/ticket/4786
[2]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
> Thanks again!
>
>
> On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud <flo at redhat.com
> <mailto:flo at redhat.com>> wrote:
>
> Hi,
>
> The instructions that you followed are used when you want to install
> FreeIPA with an embedded Certificate Authority (ie FreeIPA is able
> to issue certificates), and FreeIPA CA is signed by a 3rd party CA.
>
> Maybe your goal is just to use a 3rd party certificate for IPA's
> LDAP server and Web UI. In this case, you do not need to install
> FreeIPA with an embedded CA. You can follow the instructions for
> Installing without a CA [1], where you will need to provide a
> 3rd-part certificate.
>
> Hope this clarifies,
> Flo.
>
> [1]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca>
>
>
>
> On 09/29/2016 11:03 AM, beeth beeth wrote:
>
> I am trying to set up IPA servers with Verisign certificate, so
> that the
> Admin Web console can use public signed certificate to meet
> company's
> security requirement. But when I try to follow Red Hat's
> instructions at
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca>,
>
> 2.3.5. Installing a Server with an External CA as the Root CA,
> at the first step it says to generate CSR by adding the
> --external-ca
> option to the ipa-server-install utility, which does generate a
> CRS at
> /root/ipa.csr. However, the ipa-server-install command in fact
> doesn't
> ask for Distinguished Name (DN) or the organization info(like
> country,
> state, etc.), which are required in the CSR. Without a valid CSR
> file, I
> can't request for new Verisign certs. Did I miss something?
>
> Originally I once tried to change the default certificate for
> Apache(the
> Web Admin console) ONLY to the Verisign one, by adding the
> certificates
> to the /etc/httpd/alias database with the command:
> # ipa-server-certinstall -w --http_pin=test verisign.pk12
> And updated the nss.conf for httpd, so that the new Nickname is
> used to
> point to the Verisign certs. That worked well for the website.
> However,
> the IPA client installation failed after that for the
> "ipa-client-install":
>
> ERROR Joining realm failed: libcurl failed to execute the HTTP POST
> transaction, explaining: Peer's certificate issuer has been
> marked as
> not trusted by the user.
>
> Even I tried to also update the certificate for the Directory
> service(ipa-server-certinstall -d ... ), the client installation
> still
> failed. I believe the new Verisign cert messed up the
> communication of
> the IPA components. Then I am thinking to install the IPA server
> from
> scratch with the Verisign cert, but then I hit the CSR problem
> described
> above.
>
> Please advise. Thanks!
>
>
>
>
More information about the Freeipa-users
mailing list