[Freeipa-users] Install IPA Servers with third-party certificate(external CA)
Florence Blanc-Renaud
flo at redhat.com
Thu Sep 29 13:36:07 UTC 2016
On 09/29/2016 02:12 PM, Rob Crittenden wrote:
> beeth beeth wrote:
>> Hi Florence,
>>
>> I previously tried option a) and failed(need to find out why later), but
>> I was able to successfully reinstall the server and the client with
>> option b), thanks a lot! So when it says "Installing Without a CA", it
>> means without a "embeded CA"(the IPA's own CA), is that right?
>>
>> Another main problem comes up for option b): now I am going to install
>> the replica server(ipa2), if I do the same as I did before:
>>
>> [root at ipa1 ~]# ipa-replica-prepare ipa2.example.com
>> <http://ipa2.example.com>
>>
>> copy the gpg file from ipa1 to ipa2
>>
>> [root at ipa2 ~]# ipa-replica-install
>> /var/lib/ipa/replica-info-ipa2.example.com.gpg
>>
>> Then I believe the Apache on ipa2(the replica server) will use the
>> Verisign certificate with the same hostname(DN): ipa1.example.com
>> <http://ipa1.example.com>, NOT ipa2.example.com
>> <http://ipa2.example.com>, hence the users who visit
>> https://ipa2.example.com will experience security warning from the
>> browser, as expected...
>> What could be a solution for this?
>>
>> Thanks again!
>>
>>
>> On Thu, Sep 29, 2016 at 6:03 AM, Florence Blanc-Renaud <flo at redhat.com
>> <mailto:flo at redhat.com>> wrote:
>>
>> On 09/29/2016 11:43 AM, beeth beeth wrote:
>>
>> Thanks for the quick response Florence!
>>
>> My goal is the use a 3rd party certificate(such as Verisign
>> cert) for
>> Web UI(company security requirement), in fact we are not
>> required to use
>> 3rd party certificate for the LDAP server, but as I mentioned
>> earlier, I
>> couldn't make the new Verisign cert to work with the Web UI,
>> without
>> messing up the IPA function(after I updated the nss.conf to use
>> the new
>> cert in the /etc/httpd/alias db, the ipa_client_install failed).
>> So I
>> tried to follow the Redhat instruction, to see if I can get the
>> Verisign
>> cert installed at the most beginning, without using FreeIPA's
>> own/default certificate), but I got the CSR question.
>>
>> I did install IPA without a CA, by following the instruction at
>>
>> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>>
>> <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP>,
>> but failed to restart HTTPD. When and how can I provide the
>> 3rd-party
>> certificate? Could you please point me a document about the
>> detail?
>>
>> Hi,
>>
>> you need first to clarify if you want FreeIPA to act as a CA or not.
>> The setup will depend on this choice.
>>
>> - option a) FreeIPA with an embedded CA:
>> you can install FreeIPA with a self-signed CA, then follow the
>> instructions at
>>
>> https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
>>
>> <https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP>
>> in order to replace the WebUI certificate. Please note that there
>> were some bugs in ipa-server-certinstall, preventing httpd from
>> starting (Ticket #4786 [1]). The workaround is to manually update
>> nss.conf (as you did) and manually import the CA certificate into
>> /etc/pki/pki-tomcat/alias, for instance with
>> $ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname
>> -t C,,
>>
>>
>> - option b) Free IPA without CA
>> the installation instructions are in Installing without a CA [2].
>> You will provide the certificate that will be used by both the LDAP
>> server and the WebUI in the command options.
>
> You'd need either a separate certificate or one with multiple subject
> alternative names, one for each master. I also imagine you'd need to
> provide this certificate at replica preparation time if you've installed
> without a CA.
>
Yes, that's right. You can use the command ipa-replica-prepare with the
options --dirsrv-cert-file / --dirsrv-pin and --http-cert-file /
--http-pin to provide the replica's certificate and key. They will be
embedded in the replica file and used during the replica installation.
Flo.
> rob
>
>>
>> HTH,
>> Flo.
>>
>> [1] https://fedorahosted.org/freeipa/ticket/4786
>> <https://fedorahosted.org/freeipa/ticket/4786>
>> [2]
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
>>
>>
>> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca>
>>
>>
>>
>>
>
More information about the Freeipa-users
mailing list