On Wed, Sep 23, 2015 at 11:16:27AM +0100, James Masson wrote: > > On 23/09/15 11:03, Fraser Tweedale wrote: > >On Wed, Sep 23, 2015 at 09:09:25AM +0200, David Kupka wrote: > >>On 22/09/15 17:02, James Masson wrote: > >>> > >>>Hi, > >>> > >>>we're building IPAs in an automated fashion, for environments that get > >>>created and destroyed a lot. At the moment, the CA certs used inside > >>>these IPAs are self-signed, as part of the normal "ipa-server-install" > >>>setup process. > >>> > >>>We would like to switch to issuing signed intermediate CA certs to the > >>>IPAs we deploy. > >>> > >>>The documentation lists the two part process necessary for this. First > >>>"--external-ca" - and then "--external-cert-file" > >>> > >>>Are there any ways to skip this, and give the setup process a known > >>>public/private key+cert up front? I'm hoping to avoid the need to have > >>>to use/send this automatically generated CSR every time. > >>> > >>>thanks > >>> > >>>James M > >>> > >> > >>Hello James, > >>currently it's not possible but making installation with externally signed > >>CA single step sounds really useful to me. > >>Currently certmonger is generating the CSR for FreeIPA server in the first > >>step of installation. Certmonger is also able to send certificate to > >>external CA for signing. > >> > >>I'm not sure if we could combine these two cermonger's abilities right now > >>but if not it shouldn't be difficult to add functionality to certmonger to > >>send the CSR to preconfigured CA instead of just storing it in file. > >> > >>This would of course require configuring the certmonger with information > >>about the CA before FreeIPA server installation but it's just one command > >>(getcert-add-ca). > >> > >>Could you please file a ticket (https://fedorahosted.org/freeipa/newticket)? > >> > >There are two sides to this - one is using Certmonger for automatic > >signing of intermediate CA certificate to be used by IPA, the other > >is simply using a CA cert that the administrator already possesses, > >e.g. in a PKCS #12 file. These should be separate tickets. > > > >Cheers, > >Fraser > > > >>-- > >>David Kupka > >> > >>-- > >>Manage your subscription for the Freeipa-users mailing list: > >>https://www.redhat.com/mailman/listinfo/freeipa-users > >>Go to http://freeipa.org for more info on the project > > Done - > > https://fedorahosted.org/freeipa/ticket/5317 > https://fedorahosted.org/freeipa/ticket/5318 > > Would it be possible to use Certmonger to help the 2 step process used at > the moment? > > ie. run 'ipa-server-install' the first time - get the CSR > use local Certmonger to handle the CSR submission to upstream CA > use the resulting Cert in the second 'ipa-server-install' > > Any pointers? > > regards > > James M > I don't see an option for certmonger to use an existing CSR but you could ask it to create and track a new CSR for the same key. See getcert-request(1) for full details.
Cheers, Fraser > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project