<div dir="ltr"><div>Thanks for your help. </div>James </div><div class="gmail_extra"> <div class="gmail_quote">2015-04-09 7:17 GMT+02:00 Jan Cholasta <<a href="mailto:jcholast@redhat.com" target="_blank">jcholast@redhat.com</a>>: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dne 8.4.2015 v 17:43 James James napsal(a): <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> It's a little bit more clear. Thanks. I have created a new ipa 4.1 replica but when I want run : # ipa-cacert-manage renew --self-signed I've got this message : [root@ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed CA is not configured on this system </blockquote> You can run ipa-cacert-manage only on IPA servers with CA installed. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> If I want to install the CA I've got this message : [root@ipa-devel-centos7 system]# ipa-ca-install --password=mypassorwd -U CA is already installed. </blockquote> This command is used to install CA in CA-less IPA environment. The error message is a bit misleading and we have a ticket for that: <<a href="https://fedorahosted.org/freeipa/ticket/4492" target="_blank">https://fedorahosted.org/freeipa/ticket/4492</a>>. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Should I have to promote the replica to a standalone master before installing the CA ? </blockquote> You need to run ipa-ca-install with the replica info file used to create the replica to install the CA: # ipa-ca-install <path to replica info file> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Any hints will be appreciated... James 2015-04-08 7:27 GMT+02:00 Jan Cholasta <<a href="mailto:jcholast@redhat.com" target="_blank">jcholast@redhat.com</a> <mailto:<a href="mailto:jcholast@redhat.com" target="_blank">jcholast@redhat.com</a>>>:<div><div class="h5"> Dne 7.4.2015 v 15:31 Martin Kosek napsal(a): On 04/07/2015 02:08 PM, James James wrote: I will try to give a better explanation : I have a CentOS 6.6 with ipa 3.0 named ipa-master. ipa-master has been installed with an external CA about 3 years ago and I will have to renew the certificate soon. I have created a test server (ipa-dev) with the same configuration (centos 6.6 and ipa 3.0) to test the renewal process. I want the new ipa-dev sever to be installed with an external CA. In the same time my external CA has changed and wants the emailAddress field in the certificate request 's subject. CSR during installation with external CA is produced by Dogtag, so you are constrained with the options and capabilities provided by ipa-server-install. Maybe it would be possible to modify the CSR and update the Subject manually, but I expect it would crash the installer later (JanC may know more (CCed)) The subject name identifies the CA in server (and other) certificates. If you change it, you break the trust chain from the CA certificate to the server certificates and that will break all SSL in IPA. If it is not possible to add emailAddress in the subject, is it possible to migrate my ipa-master CA system from an external CA to a CA-less or self-signed CA ? It is, with ipa-cacert-manage - see links below. You can change your external CA to self-signed CA in IPA 4.1 or newer by running: # ipa-cacert-manage renew --self-signed You can't change external CA to CA-less. Thanks. 2015-04-07 13:48 GMT+02:00 Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a> </div></div> <mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>>: On 04/07/2015 01:44 PM, James James wrote: ok. Is there a way to migrate from an external CA to a CA-less or a self-signed CA ? Yes, you can use ipa-cacert-manage tool introduced in FreeIPA 4.1.0: <a href="https://www.freeipa.org/page/__Howto/CA_Certificate_Renewal" target="_blank">https://www.freeipa.org/page/__Howto/CA_Certificate_Renewal</a> <<a href="https://www.freeipa.org/page/Howto/CA_Certificate_Renewal" target="_blank">https://www.freeipa.org/page/Howto/CA_Certificate_Renewal</a>> <a href="https://www.freeipa.org/page/__V4/CA_certificate_renewal" target="_blank">https://www.freeipa.org/page/__V4/CA_certificate_renewal</a> <<a href="https://www.freeipa.org/page/V4/CA_certificate_renewal" target="_blank">https://www.freeipa.org/page/V4/CA_certificate_renewal</a>> (Although I am still not sure about your use case and if this would help you) 2015-04-07 12:51 GMT+02:00 Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a> <mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>>: On 04/03/2015 11:39 AM, James James wrote: Hello, I want to initialize a new replica with an external CA. My Certificate Authority wants a CSR with the field emailAddress in the subject like : /C=FR/O=TESTO/OU=TESTOU/CN=*.<a href="http://e__xample.com/emailAddress=none@__none.com" target="_blank">e__xample.com/emailAddress=none@__none.com</a> <<a href="http://example.com/emailAddress=none@none.com" target="_blank">http://example.com/emailAddress=none@none.com</a>> I am not a bit confused. Do you plan to have FreeIPA *without* a CA or with own CA signed by external CA? FreeIPA supports these kinds of setups right now: <a href="http://www.freeipa.org/page/__PKI#Blending_in_PKI___infrastructure" target="_blank">http://www.freeipa.org/page/__PKI#Blending_in_PKI___infrastructure</a> <<a href="http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure" target="_blank">http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure</a>> How can I do with the ipa-server-install command ? I have been trying for few days but I still can't. Thanks for your help. CCing Honza who should know the definitive answer. However, FreeIPA was not very flexible in configuring special subjects for it's CA certificate (i.e. cn=Certificate Authority, ou=...) or hosts in case of CA-less setup. -- Jan Cholasta </blockquote> -- Jan Cholasta </blockquote></div> </div>