[Freeipa-users] is ipa-cert-manage safe to use?
Harald Dunkel
harald.dunkel at aixigo.de
Tue May 16 13:13:46 UTC 2017
On 05/15/17 16:44, Rob Crittenden wrote:
>
> I'm confused. You mention replacing some "externally signed certificate"
> and yet then ask switching to externally signed certificates. What is
> the current configuration? What is signing the existing server certs? Or
> do you have an external CA signing the IPA CA?
>
The current servers have been installed with --external-ca. freeipa
created a csr, it was signed by an external CA and handed off back
to the freeipa server.
The question was if I should drop the whole certificate support
in freeipa. Its called "CA-less install", if I got this correctly.
I am not sure if it is possible to switch from external-ca to
CA-less.
> ipa-cacert-manage is for managing the CA certificate, not service
> certificates.
>
Sure. Point is that I don't see how a problem on replacing freeipa's
(externally signed) CA certificate by a new one affects freeipa.
Sorry to say, but at install time I did not had the impression,
that "ipa-server-install --external-ca" was thoroughly tested
before. I ran straight into a problem, but fortunately that didn't
matter, cause freeipa was not in production use, yet. (Look for
"ipa-server-install --external-ca failed" on this mailing list,
thread started 2015-12-15.)
Today it is in production use. If I brick freeipa today, then I
have a huge problem, so I am concerned.
Regards
Harri
More information about the Freeipa-users
mailing list