On 05/15/17 16:44, Rob Crittenden wrote: > > I'm confused. You mention replacing some "externally signed certificate" > and yet then ask switching to externally signed certificates. What is > the current configuration? What is signing the existing server certs? Or > do you have an external CA signing the IPA CA? >
The current servers have been installed with --external-ca. freeipa created a csr, it was signed by an external CA and handed off back to the freeipa server. The question was if I should drop the whole certificate support in freeipa. Its called "CA-less install", if I got this correctly. I am not sure if it is possible to switch from external-ca to CA-less. > ipa-cacert-manage is for managing the CA certificate, not service > certificates. > Sure. Point is that I don't see how a problem on replacing freeipa's (externally signed) CA certificate by a new one affects freeipa. Sorry to say, but at install time I did not had the impression, that "ipa-server-install --external-ca" was thoroughly tested before. I ran straight into a problem, but fortunately that didn't matter, cause freeipa was not in production use, yet. (Look for "ipa-server-install --external-ca failed" on this mailing list, thread started 2015-12-15.) Today it is in production use. If I brick freeipa today, then I have a huge problem, so I am concerned. Regards Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project