[Freeipa-users] Install IPA Servers with third-party certificate(external CA)

Thu Sep 29 11:26:10 UTC 2016

Hi Florence,

I previously tried option a) and failed(need to find out why later), but I
was able to successfully reinstall the server and the client with option
b), thanks a lot! So when it says "Installing Without a CA", it means
without a "embeded CA"(the IPA's own CA), is that right?

Another main problem comes up for option b): now I am going to install the
replica server(ipa2), if I do the same as I did before:

[root at ipa1 ~]# ipa-replica-prepare ipa2.example.com

copy the gpg file from ipa1 to ipa2

[root at ipa2 ~]# ipa-replica-install
/var/lib/ipa/replica-info-ipa2.example.com.gpg

Then I believe the Apache on ipa2(the replica server) will use the Verisign
certificate with the same hostname(DN): ipa1.example.com, NOT
ipa2.example.com, hence the users who visit https://ipa2.example.com will
experience security warning from the browser, as expected...
What could be a solution for this?

Thanks again!

On Thu, Sep 29, 2016 at 6:03 AM, Florence Blanc-Renaud <flo at redhat.com>
wrote:

> On 09/29/2016 11:43 AM, beeth beeth wrote:
>
>> Thanks for the quick response Florence!
>>
>> My goal is the use a 3rd party certificate(such as Verisign cert) for
>> Web UI(company security requirement), in fact we are not required to use
>> 3rd party certificate for the LDAP server, but as I mentioned earlier, I
>> couldn't make the new Verisign cert to work with the Web UI, without
>> messing up the IPA function(after I updated the nss.conf to use the new
>> cert in the /etc/httpd/alias db, the ipa_client_install failed). So I
>> tried to follow the Redhat instruction, to see if I can get the Verisign
>> cert installed at the most beginning, without using FreeIPA's
>> own/default certificate), but I got the CSR question.
>>
>> I did install IPA without a CA, by following the instruction at
>> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP,
>> but failed to restart HTTPD. When and how can I provide the 3rd-party
>> certificate? Could you please point me a document about the detail?
>>
> Hi,
>
> you need first to clarify if you want FreeIPA to act as a CA or not. The
> setup will depend on this choice.
>
> - option a) FreeIPA with an embedded CA:
> you can install FreeIPA with a self-signed CA, then follow the
> instructions at https://www.freeipa.org/page/U
> sing_3rd_part_certificates_for_HTTP/LDAP in order to replace the WebUI
> certificate. Please note that there were some bugs in
> ipa-server-certinstall, preventing httpd from starting (Ticket #4786 [1]).
> The workaround is to manually update nss.conf (as you did) and manually
> import the CA certificate into /etc/pki/pki-tomcat/alias, for instance with
> $ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname -t C,,
>
>
> - option b) Free IPA without CA
> the installation instructions are in Installing without a CA [2]. You will
> provide the certificate that will be used by both the LDAP server and the
> WebUI in the command options.
>
> HTH,
> Flo.
>
> [1] https://fedorahosted.org/freeipa/ticket/4786
> [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_
> Policy_Guide/install-server.html#install-server-without-ca
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160929/435eaa88/attachment.htm>