[Freeipa-users] Install IPA Servers with third-party certificate(external CA)

Rob Crittenden rcritten at redhat.com
Thu Sep 29 12:12:52 UTC 2016 

beeth beeth wrote:
> Hi Florence,
>
> I previously tried option a) and failed(need to find out why later), but
> I was able to successfully reinstall the server and the client with
> option b), thanks a lot! So when it says "Installing Without a CA", it
> means without a "embeded CA"(the IPA's own CA), is that right?
>
> Another main problem comes up for option b): now I am going to install
> the replica server(ipa2), if I do the same as I did before:
>
> [root at ipa1 ~]# ipa-replica-prepare ipa2.example.com
> <http://ipa2.example.com>
>
> copy the gpg file from ipa1 to ipa2
>
> [root at ipa2 ~]# ipa-replica-install
> /var/lib/ipa/replica-info-ipa2.example.com.gpg
>
> Then I believe the Apache on ipa2(the replica server) will use the
> Verisign certificate with the same hostname(DN): ipa1.example.com
> <http://ipa1.example.com>, NOT ipa2.example.com
> <http://ipa2.example.com>, hence the users who visit
> https://ipa2.example.com will experience security warning from the
> browser, as expected...
> What could be a solution for this?
>
> Thanks again!
>
>
> On Thu, Sep 29, 2016 at 6:03 AM, Florence Blanc-Renaud <flo at redhat.com
> <mailto:flo at redhat.com>> wrote:
>
>     On 09/29/2016 11:43 AM, beeth beeth wrote:
>
>         Thanks for the quick response Florence!
>
>         My goal is the use a 3rd party certificate(such as Verisign
>         cert) for
>         Web UI(company security requirement), in fact we are not
>         required to use
>         3rd party certificate for the LDAP server, but as I mentioned
>         earlier, I
>         couldn't make the new Verisign cert to work with the Web UI, without
>         messing up the IPA function(after I updated the nss.conf to use
>         the new
>         cert in the /etc/httpd/alias db, the ipa_client_install failed).
>         So I
>         tried to follow the Redhat instruction, to see if I can get the
>         Verisign
>         cert installed at the most beginning, without using FreeIPA's
>         own/default certificate), but I got the CSR question.
>
>         I did install IPA without a CA, by following the instruction at
>         https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>         <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP>,
>         but failed to restart HTTPD. When and how can I provide the
>         3rd-party
>         certificate? Could you please point me a document about the detail?
>
>     Hi,
>
>     you need first to clarify if you want FreeIPA to act as a CA or not.
>     The setup will depend on this choice.
>
>     - option a) FreeIPA with an embedded CA:
>     you can install FreeIPA with a self-signed CA, then follow the
>     instructions at
>     https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>     <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP>
>     in order to replace the WebUI certificate. Please note that there
>     were some bugs in ipa-server-certinstall, preventing httpd from
>     starting (Ticket #4786 [1]). The workaround is to manually update
>     nss.conf (as you did) and manually import the CA certificate into
>     /etc/pki/pki-tomcat/alias, for instance with
>     $ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname
>     -t C,,
>
>
>     - option b) Free IPA without CA
>     the installation instructions are in Installing without a CA [2].
>     You will provide the certificate that will be used by both the LDAP
>     server and the WebUI in the command options.

You'd need either a separate certificate or one with multiple subject 
alternative names, one for each master. I also imagine you'd need to 
provide this certificate at replica preparation time if you've installed 
without a CA.

rob

>
>     HTH,
>     Flo.
>
>     [1] https://fedorahosted.org/freeipa/ticket/4786
>     <https://fedorahosted.org/freeipa/ticket/4786>
>     [2]
>     https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
>     <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca>
>
>
>

More information about the Freeipa-users mailing list