<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body text="#000000" bgcolor="#FFFFFF"> So for our internal yum server, I created a new key and cert request (it had a localhost key and cert but I wanted to start clean): <blockquote><tt># openssl genrsa 2048 > /etc/pki/tls/private/server.key</tt> <tt># openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/pki/tls/private/server.key > /etc/pki/tls/certs/server.crt</tt> <tt># ipa-getcert request -f /etc/pki/tls/certs/server.crt -k /etc/pki/tls/private/server.key -r</tt> </blockquote> ipa-getcert list shows it approved. I set up SSL in apache to use the above .key and .crt, but when I try to run yum against this using ssl: <blockquote><tt># yum search ffmpeg</tt> <tt>Loaded plugins: langpacks</tt> <tt><a class="moz-txt-link-freetext" href="https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml">https://yum.private.net/fedora/releases/21/Everything/x86_64/os/repodata/repomd.xml</a>: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user."</tt> <tt>:</tt> </blockquote> Is there a step I need to take on the clients so they'll accept this cert as trusted? I thought having it be signed by the IPA CA would have taken care of that. <blockquote><tt># ls -l /etc/ipa/ca.crt</tt> <tt>-rw-r--r-- 1 root root 2546 Apr 28 2014 /etc/ipa/ca.crt</tt> <tt>#</tt> </blockquote> --- Bret <div class="moz-cite-prefix">On 06/02/2016 07:25 PM, <a class="moz-txt-link-abbreviated" href="mailto:bret.wortman@damascusgrp.com">bret.wortman@damascusgrp.com</a> wrote: </div> <blockquote cite="mid:b0aa17ae-de3c-446f-8cab-48cace412554@Spark" type="cite"> <title></title> <div name="messageBodySection">Cool. I'll give this a go in the morning.</div> <div name="messageSignatureSection"> Bret Wortman <div><a class="moz-txt-link-freetext" href="http://wrapbuddies.co/">http://wrapbuddies.co/</a></div> </div> <div name="messageReplySection"> On Jun 2, 2016, 6:24 PM -0400, Fraser Tweedale <a class="moz-txt-link-rfc2396E" href="mailto:ftweedal@redhat.com"><ftweedal@redhat.com></a>, wrote: <blockquote type="cite">On Thu, Jun 02, 2016 at 05:35:01PM -0400, <a class="moz-txt-link-abbreviated" href="mailto:bret.wortman@damascusgrp.com">bret.wortman@damascusgrp.com</a> wrote: <blockquote type="cite">Sorry, let me back up a step. We need to implement hype everywhere. All our web services. And clients need to get keys&certs automatically whether through IPA or Puppet. These systems use IPA for everything but authentication (to keep most users off). I'm trying to wuss out the easiest way to make this happen smoothly. </blockquote> Hi Bret, You can use the IPA CA to sign service certificates. See <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Certmonger#Request_a_new_certificate">http://www.freeipa.org/page/Certmonger#Request_a_new_certificate</a>. IPA-enrolled machines already have the IPA certificate in their trust store. If the clients are IPA-enrolled, everything should Just Work, otherwise you can distribute the IPA CA certificate to clients via Puppet** or whatever means you prefer. ** you will have to work out how, because I do not know Puppet :) Cheers, Fraser <blockquote type="cite"> On Jun 2, 2016, 5:31 PM -0400, Rob Crittenden<a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a>, wrote: <blockquote type="cite">Bret Wortman wrote: <blockquote type="cite">Is it possible to use our freeipa CA as a trusted CA to sign our internal SSL certificates? Our system runs on a private network and so using the usual trusted sources isn't an option. We've been using self-signed, but that adds some additional complications and we thought this might be a good solution. Is it possible, and, since most online guides defer to "submit the CSR to Verisign" or whomever, how would you go about producing one in this way? </blockquote> Not sure I understand the question. The IPA CA is also self-signed. For enrolled systems though at least the CA is pre-distributed so maybe that will help. rob </blockquote> </blockquote> <blockquote type="cite">-- Manage your subscription for the Freeipa-users mailing list: <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a class="moz-txt-link-freetext" href="http://freeipa.org">http://freeipa.org</a> for more info on the project </blockquote> </blockquote> </div> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> </body> </html>