On 08/28/2018 05:57 PM, Alexander Bokovoy via FreeIPA-users wrote:
On ti, 28 elo 2018, Peter Tselios via FreeIPA-users wrote:
Hello,
I have a FreeIPA installation (4.5.4). There is a one-way trust with
the ActiveDirectory server.
We had setup 2 different CAs (one for the Linux domain and one for the
AD). However, the management decided to use only the AD CA, thus I need
to convert the FreeIPA CA to an AD subordinate CA. So, I am looking
for a way to replace the CA in the FreeIPA without re-installing it.
Is it possible?
If so, can you please point me to the correct documentation? (What I
found so far is for installation, not migration).
There is a tool 'ipa-cacert-manage' that allows to do changes of CA
certificates.
One of tests we have in FreeIPA is testing a switch of integrated CA to
an externally signed one:
https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_external_ca.py#_190-214
It is done in two steps:
1. Run 'ipa-cacert-manage renew --external-ca --external-ca-type=ms-cs'
to generate a signing
request. Pass that CSR to AD CA to sign. See man page for the tool for
more options and details.
2. Run 'ipa-cacert-manage renew --external-cert-file=FILE` to provide
the resulting signed certificate back to IPA.
You'd need to experiment with the tool on a test setup to see how it
behaves and what is needed to properly go through the process.
I will also add that this procedure will replace FreeIPA CA but will not
replace the certificates already delivered by the previous FreeIPA CA.
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
