On Wed, Oct 31, 2018 at 11:58:57AM -0400, Rob Crittenden via FreeIPA-users wrote: > Henrik Johansson via FreeIPA-users wrote: > > > > > >> On 31 Oct 2018, at 13:27, Andrey Bondarenko via FreeIPA-users > >> <freeipa-users@lists.fedorahosted.org > >> <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > >> > >> It would create CSR for you on install. > > > > When are they generated? I know it does that when configuring IPA as a > > sub-CA with “—external-ca", but without any CA I am supposed to specify > > the certificates when running ipa-server-install? > > A CSR is not generated in the CAless case. You have to provide a PKCS#12 > file containing the private key and certificate for each type of > certificate required (yes you can use the same for LDAP and HTTP). The > CA chain can be provided using --ca-cert-file IIRC. Where this comes > from is up to you. > Note that you'll have a hard time getting a certificate signed by a public CA with the approriate Extended Key Usage and Subject Alternative Name values for a KDC certificate. If you are getting certificates from some other internal CA controlled by your organisation, no worries. Otherwise, you'll have do make do without Kerberos PKINIT support.
Cheers, Fraser > > > > "You must request these certificates from a third-party authority prior > > to the installation: > > > > An LDAP server certificate and a private key > > > > An Apache server certificate and a private key > > > > Full CA certificate chain of the CA that issued the LDAP and Apache > > server certificates” > > > > > > And the only options relate to this seems to be the ones specifying the > > location of the certificates to use? > > Correct. AND you have to do the same when setting up any replicas. > > rob > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org