<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 05/14/2015 10:15 AM, David Little
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAMOPc3nefSbe4zaQwgX_O8Vtx1G7VQKGJZnGtUUpUCfxDX5q3g@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hi there,
        <div><br>
        </div>
        <div>I was reading this document regarding using 3rd party
          certificates in FreeIPA:</div>
        <div><br>
        </div>
        <div><a moz-do-not-send="true"
href="https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP">https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP</a><br>
        </div>
        <div><br>
        </div>
        <div>Which includes the information "<span
            style="color:rgb(46,52,54);font-family:'Source Sans
            Pro',sans-serif;font-size:14px;line-height:20px">The
            certificate in mysite.crt must be signed by the CA used when
            installing FreeIPA."</span></div>
        <div><span style="color:rgb(46,52,54);font-family:'Source Sans
            Pro',sans-serif;font-size:14px;line-height:20px"><br>
          </span></div>
        <div>Also this thread: <a moz-do-not-send="true"
href="http://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html">http://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html</a><br>
        </div>
        <div><br>
        </div>
        <div>Which says at the end " I'm wondering if it's because of
          this from the doc "The certificate in mysite.crt must be
          signed by the CA used when installing FreeIPA."  but it might
          not either...</div>
        <div><br>
        </div>
        <div> In this case you should get a "file.p12 is not signed by</div>
        <div> /etc/ipa/ca.crt, or the full certificate chain is not</div>
        <div> present in the PKCS#12 file" error in
          ipa-server-certinstall."</div>
        <div><br>
        </div>
        <div>This brings me to my question... If I have an existing
          multi-server FreeIPA setup with multiple IPA client
          installations, using a self-signed CA certificate for
          /etc/ipa/ca.crt, would I need to start over the FreeIPA
          installation from scratch using the public root CA, which
          signed the wildcard certificate?</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>Thanks,<br>
          Dave</div>
        <div><br>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    Did you get an answer?<br>
    If not starting 4.1 IPA has a tool that can change the chaining and
    also convert from CA-less to CA-full. I am not sure it can do the
    reverse so you might in fact have to start over.<br>
    <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion">http://www.freeipa.org/page/V4/CA-less_to_CA-full_conversion</a><br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.</pre>
  </body>
</html>