<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 10/13/2014 03:39 PM, quest monger
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAO-=20_9cYTfOqTW7FgZ6=Se4icdrgjoH3mA8dyGiPJVisO5_w@mail.gmail.com"
      type="cite">
      <div dir="ltr">I found some documentation for getting certificate
        signed by external CA (2.3.3.2. Using Different CA
        Configurations) - <a moz-do-not-send="true"
href="http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html">http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/creating-server.html</a>
        <div><br>
        </div>
        <div>But looks like those instructions apply to a first time
          fresh install, not for upgrading an existing install.</div>
        <div><br>
        </div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Mon, Oct 13, 2014 at 3:24 PM, quest
          monger <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:quest.monger@gmail.com" target="_blank">quest.monger@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">I was told by my admin team that Self-signed
              certs pose a security risk.
              <div><br>
              </div>
            </div>
            <div class="HOEnZb">
              <div class="h5">
                <div class="gmail_extra"><br>
                  <div class="gmail_quote">On Mon, Oct 13, 2014 at 3:17
                    PM, Rob Crittenden <span dir="ltr"><<a
                        moz-do-not-send="true"
                        href="mailto:rcritten@redhat.com"
                        target="_blank">rcritten@redhat.com</a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div>
                        <div>quest monger wrote:<br>
                          > Hello All,<br>
                          ><br>
                          > I installed FreeIPA server on a CentOS
                          host. I have 20+ Linux and<br>
                          > Solaris clients hooked up to it. SSH and
                          Sudo works on all clients.<br>
                          ><br>
                          > I would like to replace the self-signed
                          cert that is used on Port 389<br>
                          > and 636.<br>
                          ><br>
                          > Is there a way to do this without
                          re-installing the server and clients.<br>
                          <br>
                        </div>
                      </div>
                      Why do you want to do this?<br>
                      <span><font color="#888888"><br>
                          rob<br>
                          <br>
                        </font></span></blockquote>
                  </div>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
    Do I get it right that you installed IPA using self-signed
    certificate and now want to change it?<br>
    What version of IPA you have? Did you use self-signed CA-less
    install or using self-signed CA?<br>
    The tools to change the chaining are only being released in 4.1 so
    you might have to move to latest when we release 4.1 for CentOS.<br>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
  </body>
</html>