<div dir="ltr"><div>Thanks for your help.<br><br></div>James<br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-04-09 7:17 GMT+02:00 Jan Cholasta <span dir="ltr"><<a href="mailto:jcholast@redhat.com" target="_blank">jcholast@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dne 8.4.2015 v 17:43 James James napsal(a):<span class=""><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
It's a little bit more clear. Thanks.<br>
<br>
I have created a new ipa 4.1 replica but when I want run :<br>
<br>
# ipa-cacert-manage renew --self-signed<br>
<br>
I've got this message :<br>
<br>
[root@ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed<br>
CA is not configured on this system<br>
</blockquote>
<br></span>
You can run ipa-cacert-manage only on IPA servers with CA installed.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
If I want to install the CA I've got this message :<br>
<br>
[root@ipa-devel-centos7 system]# ipa-ca-install --password=mypassorwd -U<br>
CA is already installed.<br>
</blockquote>
<br></span>
This command is used to install CA in CA-less IPA environment. The error message is a bit misleading and we have a ticket for that: <<a href="https://fedorahosted.org/freeipa/ticket/4492" target="_blank">https://fedorahosted.org/<u></u>freeipa/ticket/4492</a>>.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Should I have to promote the replica to a standalone master before<br>
installing the CA ?<br>
</blockquote>
<br></span>
You need to run ipa-ca-install with the replica info file used to create the replica to install the CA:<br>
<br>
    # ipa-ca-install <path to replica info file><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
<br>
Any hints will be appreciated...<br>
<br>
<br>
James<br>
<br>
<br>
2015-04-08 7:27 GMT+02:00 Jan Cholasta <<a href="mailto:jcholast@redhat.com" target="_blank">jcholast@redhat.com</a><br></span>
<mailto:<a href="mailto:jcholast@redhat.com" target="_blank">jcholast@redhat.com</a>>>:<div><div class="h5"><br>
<br>
    Dne 7.4.2015 v 15:31 Martin Kosek napsal(a):<br>
<br>
        On 04/07/2015 02:08 PM, James James wrote:<br>
<br>
            I will try to give a better explanation :<br>
<br>
<br>
            I have a CentOS 6.6 with ipa 3.0 named ipa-master.<br>
            ipa-master has been<br>
            installed with an external CA about 3 years ago and I will<br>
            have to renew<br>
            the certificate soon.<br>
<br>
               I have created a test server (ipa-dev) with the same<br>
            configuration (centos<br>
            6.6 and ipa 3.0) to test the renewal process. I want the new<br>
            ipa-dev sever<br>
            to be installed with an external CA.<br>
<br>
            In the same time my external CA has changed and wants the<br>
            emailAddress<br>
            field in the certificate request 's subject.<br>
<br>
<br>
        CSR during installation with external CA is produced by Dogtag,<br>
        so you are<br>
        constrained with the options and capabilities provided by<br>
        ipa-server-install.<br>
        Maybe it would be possible to modify the CSR and update the<br>
        Subject manually,<br>
        but I expect it would crash the installer later (JanC may know<br>
        more (CCed))<br>
<br>
<br>
    The subject name identifies the CA in server (and other)<br>
    certificates. If you change it, you break the trust chain from the<br>
    CA certificate to the server certificates and that will break all<br>
    SSL in IPA.<br>
<br>
<br>
            If it is not possible to add emailAddress in the subject, is<br>
            it possible to<br>
            migrate my ipa-master CA system from an external CA to a<br>
            CA-less or<br>
            self-signed CA ?<br>
<br>
<br>
        It is, with ipa-cacert-manage - see links below.<br>
<br>
<br>
    You can change your external CA to self-signed CA in IPA 4.1 or<br>
    newer by running:<br>
<br>
         # ipa-cacert-manage renew --self-signed<br>
<br>
    You can't change external CA to CA-less.<br>
<br>
<br>
<br>
            Thanks.<br>
<br>
            2015-04-07 13:48 GMT+02:00 Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a><br></div></div>
            <mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>>:<span class=""><br>
<br>
                On 04/07/2015 01:44 PM, James James wrote:<br>
<br>
                    ok.<br>
<br>
                    Is there a way to migrate from an external CA to a<br>
                    CA-less or a<br>
<br>
                self-signed<br>
<br>
                    CA  ?<br>
<br>
<br>
                Yes, you can use ipa-cacert-manage tool introduced in<br>
                FreeIPA 4.1.0:<br>
<br></span>
                <a href="https://www.freeipa.org/page/__Howto/CA_Certificate_Renewal" target="_blank">https://www.freeipa.org/page/_<u></u>_Howto/CA_Certificate_Renewal</a><br>
                <<a href="https://www.freeipa.org/page/Howto/CA_Certificate_Renewal" target="_blank">https://www.freeipa.org/page/<u></u>Howto/CA_Certificate_Renewal</a>><br>
                <a href="https://www.freeipa.org/page/__V4/CA_certificate_renewal" target="_blank">https://www.freeipa.org/page/_<u></u>_V4/CA_certificate_renewal</a><span class=""><br>
                <<a href="https://www.freeipa.org/page/V4/CA_certificate_renewal" target="_blank">https://www.freeipa.org/page/<u></u>V4/CA_certificate_renewal</a>><br>
<br>
                (Although I am still not sure about your use case and if<br>
                this would help<br>
                you)<br>
<br>
<br>
                    2015-04-07 12:51 GMT+02:00 Martin Kosek<br></span>
                    <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a> <mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>>:<span class=""><br>
<br>
                        On 04/03/2015 11:39 AM, James James wrote:<br>
<br>
                            Hello,<br>
<br>
                            I want to initialize a new replica with an<br>
                            external CA. My Certificate<br>
                            Authority wants a CSR with the field<br>
                            emailAddress in the subject like :<br>
<br></span>
                            /C=FR/O=TESTO/OU=TESTOU/CN=*.<a href="http://e__xample.com/emailAddress=none@__none.com" target="_blank">e<u></u>__xample.com/emailAddress=<u></u>none@__none.com</a><br>
                            <<a href="http://example.com/emailAddress=none@none.com" target="_blank">http://example.com/<u></u>emailAddress=none@none.com</a>><span class=""><br>
<br>
<br>
                        I am not a bit confused. Do you plan to have<br>
                        FreeIPA *without* a CA or<br>
                        with own<br>
                        CA signed by external CA?<br>
<br>
                        FreeIPA supports these kinds of setups right now:<br></span>
                        <a href="http://www.freeipa.org/page/__PKI#Blending_in_PKI___infrastructure" target="_blank">http://www.freeipa.org/page/__<u></u>PKI#Blending_in_PKI___<u></u>infrastructure</a><span class=""><br>
                        <<a href="http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure" target="_blank">http://www.freeipa.org/page/<u></u>PKI#Blending_in_PKI_<u></u>infrastructure</a>><br>
<br>
                               How can I do with the ipa-server-install<br>
                            command ?  I have been trying<br>
<br>
                        for<br>
<br>
                            few days but I still can't.<br>
<br>
                            Thanks for your help.<br>
<br>
<br>
                        CCing Honza who should know the definitive<br>
                        answer. However, FreeIPA was<br>
<br>
                not<br>
<br>
                        very flexible in configuring special subjects<br>
                        for it's CA certificate<br>
<br>
                (i.e.<br>
<br>
                        cn=Certificate Authority, ou=...) or hosts in<br>
                        case of CA-less setup.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
    --<br>
    Jan Cholasta<br>
<br>
<br>
</span></blockquote><span class="HOEnZb"><font color="#888888">
<br>
<br>
-- <br>
Jan Cholasta<br>
</font></span></blockquote></div><br></div>