On 09/29/2016 11:43 AM, beeth beeth wrote:
Thanks for the quick response Florence!
My goal is the use a 3rd party certificate(such as Verisign cert) for
Web UI(company security requirement), in fact we are not required to use
3rd party certificate for the LDAP server, but as I mentioned earlier, I
couldn't make the new Verisign cert to work with the Web UI, without
messing up the IPA function(after I updated the nss.conf to use the new
cert in the /etc/httpd/alias db, the ipa_client_install failed). So I
tried to follow the Redhat instruction, to see if I can get the Verisign
cert installed at the most beginning, without using FreeIPA's
own/default certificate), but I got the CSR question.
I did install IPA without a CA, by following the instruction at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP,
but failed to restart HTTPD. When and how can I provide the 3rd-party
certificate? Could you please point me a document about the detail?
Hi,
you need first to clarify if you want FreeIPA to act as a CA or not. The
setup will depend on this choice.
- option a) FreeIPA with an embedded CA:
you can install FreeIPA with a self-signed CA, then follow the
instructions at
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
in order to replace the WebUI certificate. Please note that there were
some bugs in ipa-server-certinstall, preventing httpd from starting
(Ticket #4786 [1]). The workaround is to manually update nss.conf (as
you did) and manually import the CA certificate into
/etc/pki/pki-tomcat/alias, for instance with
$ certutil -A -d /etc/pki/pki-tomcat/alias -i cacert.pem -n nickname -t C,,
- option b) Free IPA without CA
the installation instructions are in Installing without a CA [2]. You
will provide the certificate that will be used by both the LDAP server
and the WebUI in the command options.
HTH,
Flo.
[1] https://fedorahosted.org/freeipa/ticket/4786
[2]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
Thanks again!
On Thu, Sep 29, 2016 at 5:25 AM, Florence Blanc-Renaud <f...@redhat.com
<mailto:f...@redhat.com>> wrote:
Hi,
The instructions that you followed are used when you want to install
FreeIPA with an embedded Certificate Authority (ie FreeIPA is able
to issue certificates), and FreeIPA CA is signed by a 3rd party CA.
Maybe your goal is just to use a 3rd party certificate for IPA's
LDAP server and Web UI. In this case, you do not need to install
FreeIPA with an embedded CA. You can follow the instructions for
Installing without a CA [1], where you will need to provide a
3rd-part certificate.
Hope this clarifies,
Flo.
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca>
On 09/29/2016 11:03 AM, beeth beeth wrote:
I am trying to set up IPA servers with Verisign certificate, so
that the
Admin Web console can use public signed certificate to meet
company's
security requirement. But when I try to follow Red Hat's
instructions at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-external-ca>,
2.3.5. Installing a Server with an External CA as the Root CA,
at the first step it says to generate CSR by adding the
--external-ca
option to the ipa-server-install utility, which does generate a
CRS at
/root/ipa.csr. However, the ipa-server-install command in fact
doesn't
ask for Distinguished Name (DN) or the organization info(like
country,
state, etc.), which are required in the CSR. Without a valid CSR
file, I
can't request for new Verisign certs. Did I miss something?
Originally I once tried to change the default certificate for
Apache(the
Web Admin console) ONLY to the Verisign one, by adding the
certificates
to the /etc/httpd/alias database with the command:
# ipa-server-certinstall -w --http_pin=test verisign.pk12
And updated the nss.conf for httpd, so that the new Nickname is
used to
point to the Verisign certs. That worked well for the website.
However,
the IPA client installation failed after that for the
"ipa-client-install":
ERROR Joining realm failed: libcurl failed to execute the HTTP POST
transaction, explaining: Peer's certificate issuer has been
marked as
not trusted by the user.
Even I tried to also update the certificate for the Directory
service(ipa-server-certinstall -d ... ), the client installation
still
failed. I believe the new Verisign cert messed up the
communication of
the IPA components. Then I am thinking to install the IPA server
from
scratch with the Verisign cert, but then I hit the CSR problem
described
above.
Please advise. Thanks!
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
