On 10/20/2016 05:05 AM, beeth beeth wrote:
First of all, thanks for the quick response Florence!

I have question about your suggested step [1] and [2]:
For [1],  "ipa-cacert-manage install cert.pem". Which certificate is
this? Is it the ChainBundle cert(root cert + intermediate cert)?
For [2],  "ipa-server-certinstall -d /path/to/pkcs12.p12" . Which
certificate is this pkcs12.p12? Is it the Server cert?

Here's exactly what I ran initially to install the IPA server with the
Verisign certs, by following your suggestion last time(at the Admin
manual 2.3.6. Installing Without a CA), and it worked well:

# ipa-server-install --http-cert-file ServerCertificate.crt
--http-cert-file ipaserver1.encrypted.key --http-pin MYipakey
--dirsrv-cert-file ServerCertificate.crt --dirsrv-cert-file
ipaserver1.encrypted.key --dirsrv-pin MYipakey --ca-cert-file
ChainBundle2.crt

So, basically the installation requested 3 items: the server
key(ipaserver1.encrypted.key), the server certificate from
Verisign(ServerCertificate.crt), and the "root+intermediate" certs from
Verisign(ChainBundle2.crt).
Now let's say such Verisign certificate expires, and I want to replace
the certs from GoDaddy(another public cert provider), I assume a new set
of certs, including the new key, the new server cert, and the new Chain
cert(root+intermediate), total 3 items, will need to be included in the
commands for the third party certificate replacement.
The steps [1] and [2] only show two inputs, so I am not sure what I have
been missing.

Hi,

Sorry if I was not clear enough. The first step (ipa-cacert-manage install) aims at adding the CA certificate thus the root+intermediate certs should be provided.

The step with ipa-server-certinstall configures the Server Cert (-d if you want to replace the LDAP cert, -w for HTTP cert), meaning that the Server-Cert and key should be provided. The man page details all the supported formats, and it is possible to provide multiple files.

Hope this clarifies,
Flo.

Please advise the detail. Thanks again!
Beeth


On Wed, Oct 19, 2016 at 11:49 AM, Florence Blanc-Renaud <f...@redhat.com
<mailto:f...@redhat.com>> wrote:

    On 10/19/2016 05:23 PM, beeth beeth wrote:

        I once asked about Install IPA servers with certificate provided by
        third-party like
        
Verisign(https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html
        
<https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html>
        
<https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html
        
<https://www.redhat.com/archives/freeipa-users/2016-September/msg00440.html>>).
        Florence, Rob and Jakub from Redhat had been very helpful, and
        pointed
        out the solution at
        
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
        
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca>
        
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca
        
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-server-without-ca>>,
        about "Installing Without a CA", and it worked great!

        Now it came up another problem, is that the Verisign(or any other
        certificate) will expire in a year or two, how can I smoothly
        renew the
        Verisign certificate on the primary and replica IPA servers a
        year from
        now? Or if we decide to use another provider, say Godaddy
        certificate,
        how can I replace the existing certificate on both IPA servers?
        I found
        a relevant instruction at
        
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal
        
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal>
        
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal
        
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#auto-cert-renewal>>,
        but that's about the "Dogtag" CA certificate, not about the
        third-party
        certificate I am using in our upcoming production
        environment(running
        IPA 4.2 on RHEL7).

    Hi,

    if you plan to use another CA (for instance switch from Verisign to
    Godaddy), you will need first to install the new CA certificate with
    ipa-cacert-manage install and ipa-certupdate. The instructions are
    in 30.4 Manual CA Certificate Installation [1].

    Then, if you want to change the HTTP and LDAP certificates for your
    server, you can use the ipa-server-certinstall utility [2].

    [1]
    
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#manual-cert-install
    
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#manual-cert-install>

    [2]
    
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#Configuring_Certificates_and_Certificate_Authorities
    
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#Configuring_Certificates_and_Certificate_Authorities>

    Hope this helps,
    Flo.


        Please advise. Thank you!
        Beeth




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to