On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote: > On 22/09/15 17:02, James Masson wrote: > > > >Hi, > > > >we're building IPAs in an automated fashion, for environments that get > >created and destroyed a lot. At the moment, the CA certs used inside > >these IPAs are self-signed, as part of the normal "ipa-server-install" > >setup process. > > > >We would like to switch to issuing signed intermediate CA certs to the > >IPAs we deploy. > > > >The documentation lists the two part process necessary for this. First > >"--external-ca" - and then "--external-cert-file" > > > >Are there any ways to skip this, and give the setup process a known > >public/private key+cert up front? I'm hoping to avoid the need to have > >to use/send this automatically generated CSR every time. > > > >thanks > > > >James M > > > > Hello James, > currently it's not possible but making installation with externally signed > CA single step sounds really useful to me. > Currently certmonger is generating the CSR for FreeIPA server in the first > step of installation. Certmonger is also able to send certificate to > external CA for signing. > > I'm not sure if we could combine these two cermonger's abilities right now > but if not it shouldn't be difficult to add functionality to certmonger to > send the CSR to preconfigured CA instead of just storing it in file. > > This would of course require configuring the certmonger with information > about the CA before FreeIPA server installation but it's just one command > (getcert-add-ca). > > Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)? > There are two sides to this - one is using Certmonger for automatic signing of intermediate CA certificate to be used by IPA, the other is simply using a CA cert that the administrator already possesses, e.g. in a PKCS #12 file. These should be separate tickets.
Cheers, Fraser > -- > David Kupka > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project