Henrik Johansson via FreeIPA-users wrote: > > >> On 31 Oct 2018, at 13:27, Andrey Bondarenko via FreeIPA-users >> <freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org>> wrote: >> >> It would create CSR for you on install. > > When are they generated? I know it does that when configuring IPA as a > sub-CA with “—external-ca", but without any CA I am supposed to specify > the certificates when running ipa-server-install?
A CSR is not generated in the CAless case. You have to provide a PKCS#12 file containing the private key and certificate for each type of certificate required (yes you can use the same for LDAP and HTTP). The CA chain can be provided using --ca-cert-file IIRC. Where this comes from is up to you. > > "You must request these certificates from a third-party authority prior > to the installation: > > An LDAP server certificate and a private key > > An Apache server certificate and a private key > > Full CA certificate chain of the CA that issued the LDAP and Apache > server certificates” > > > And the only options relate to this seems to be the ones specifying the > location of the certificates to use? Correct. AND you have to do the same when setting up any replicas. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org