Dne 8.4.2015 v 17:43 James James napsal(a):
It's a little bit more clear. Thanks.
I have created a new ipa 4.1 replica but when I want run :
# ipa-cacert-manage renew --self-signed
I've got this message :
[root@ipa-devel-centos7 ~]# ipa-cacert-manage renew --self-signed
CA is not configured on this system
You can run ipa-cacert-manage only on IPA servers with CA installed.
If I want to install the CA I've got this message :
[root@ipa-devel-centos7 system]# ipa-ca-install --password=mypassorwd -U
CA is already installed.
This command is used to install CA in CA-less IPA environment. The error
message is a bit misleading and we have a ticket for that:
<https://fedorahosted.org/freeipa/ticket/4492>.
Should I have to promote the replica to a standalone master before
installing the CA ?
You need to run ipa-ca-install with the replica info file used to create
the replica to install the CA:
# ipa-ca-install <path to replica info file>
Any hints will be appreciated...
James
2015-04-08 7:27 GMT+02:00 Jan Cholasta <jchol...@redhat.com
<mailto:jchol...@redhat.com>>:
Dne 7.4.2015 v 15:31 Martin Kosek napsal(a):
On 04/07/2015 02:08 PM, James James wrote:
I will try to give a better explanation :
I have a CentOS 6.6 with ipa 3.0 named ipa-master.
ipa-master has been
installed with an external CA about 3 years ago and I will
have to renew
the certificate soon.
I have created a test server (ipa-dev) with the same
configuration (centos
6.6 and ipa 3.0) to test the renewal process. I want the new
ipa-dev sever
to be installed with an external CA.
In the same time my external CA has changed and wants the
emailAddress
field in the certificate request 's subject.
CSR during installation with external CA is produced by Dogtag,
so you are
constrained with the options and capabilities provided by
ipa-server-install.
Maybe it would be possible to modify the CSR and update the
Subject manually,
but I expect it would crash the installer later (JanC may know
more (CCed))
The subject name identifies the CA in server (and other)
certificates. If you change it, you break the trust chain from the
CA certificate to the server certificates and that will break all
SSL in IPA.
If it is not possible to add emailAddress in the subject, is
it possible to
migrate my ipa-master CA system from an external CA to a
CA-less or
self-signed CA ?
It is, with ipa-cacert-manage - see links below.
You can change your external CA to self-signed CA in IPA 4.1 or
newer by running:
# ipa-cacert-manage renew --self-signed
You can't change external CA to CA-less.
Thanks.
2015-04-07 13:48 GMT+02:00 Martin Kosek <mko...@redhat.com
<mailto:mko...@redhat.com>>:
On 04/07/2015 01:44 PM, James James wrote:
ok.
Is there a way to migrate from an external CA to a
CA-less or a
self-signed
CA ?
Yes, you can use ipa-cacert-manage tool introduced in
FreeIPA 4.1.0:
https://www.freeipa.org/page/__Howto/CA_Certificate_Renewal
<https://www.freeipa.org/page/Howto/CA_Certificate_Renewal>
https://www.freeipa.org/page/__V4/CA_certificate_renewal
<https://www.freeipa.org/page/V4/CA_certificate_renewal>
(Although I am still not sure about your use case and if
this would help
you)
2015-04-07 12:51 GMT+02:00 Martin Kosek
<mko...@redhat.com <mailto:mko...@redhat.com>>:
On 04/03/2015 11:39 AM, James James wrote:
Hello,
I want to initialize a new replica with an
external CA. My Certificate
Authority wants a CSR with the field
emailAddress in the subject like :
/C=FR/O=TESTO/OU=TESTOU/CN=*.e__xample.com/emailAddress=none@__none.com
<http://example.com/emailAddress=n...@none.com>
I am not a bit confused. Do you plan to have
FreeIPA *without* a CA or
with own
CA signed by external CA?
FreeIPA supports these kinds of setups right now:
http://www.freeipa.org/page/__PKI#Blending_in_PKI___infrastructure
<http://www.freeipa.org/page/PKI#Blending_in_PKI_infrastructure>
How can I do with the ipa-server-install
command ? I have been trying
for
few days but I still can't.
Thanks for your help.
CCing Honza who should know the definitive
answer. However, FreeIPA was
not
very flexible in configuring special subjects
for it's CA certificate
(i.e.
cn=Certificate Authority, ou=...) or hosts in
case of CA-less setup.
--
Jan Cholasta
--
Jan Cholasta
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
