Re: [Freeipa-users] Certs.

[Rob Crittenden]

Walid wrote:

Hi Rob,

Self signed IPA certificate i saw it is 20 years, however how about the
client nodes renewal, i see here it is automated, how, and when


For renewed CA certificate distribution, we are working on it in ticket 
https://fedorahosted.org/freeipa/ticket/4322


For any server certificates on a client then certmonger is the way to 
go, and is our recommended mechanism. It will monitor and automatically 
renew any certificates installed (well, any it has permission to renew).


rob



On 16 September 2014 20:13, Rob Crittenden mailto:rcrit...@redhat.com>> wrote:

Walid wrote:

Hi Dmitri,

I am interested in the renewal process, how would that happen for
clients, and when would it happen?


It depends on what scenario you're talking about (self-signed IPA
cert, IPA as subordinate, user-provided certificates), and what
certs you mean.

rob


On 11 September 2014 03:01, Dmitri Pal mailto:d...@redhat.com>
>> wrote:

 On 09/10/2014 07:57 PM, William Graboyes wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512

 Hi Dmitri,

 Production Environment is going to be RH 6.5,  We are still
 evaluating
 the usage of systemd. More like we are taking a wait
and see
 approach
 to to systemd, while actively testing it.

 The command line options for chaining are there from day one.
 So you would need to chain your production environment when you
 deploy it.
 In future when you migrate to later versions (in couple of
years or
 so) you will be able to change the chaining using the new
tools.
 Right now it is a vary hard multi step manual procedure.
This is why
 we developed the tool.
 But you should be all set for now. You would not need to change
 anything for several years.

 Thanks
 Dmitri



 Thanks,
 Bill

 On Wed Sep 10 16:49:24 2014, Dmitri Pal wrote:

 On 09/10/2014 07:26 PM, William Graboyes wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512

 Hi Chris,

 Thank you for the suggestion. Looking at

http://www.redhat.com/archives/freeipa-users/2014-August/msg00334.html




>

 Installing a new, third party cert requires a
reinstall
 of IPA?  IPA
 Devs, that is a bit silly don't you think?  A
year or
 two in the cert
 expires, now you have to start from scratch?  I
will
 wait for some form
 of response before I attempt at eating crow in
front of
 management.

 I forgot to mention, free-ipa version
 ipa-server-3.0.0-37.el6.x86_64.

 Since 3.0 internal certs are issued for 2 years and
are renewed
 automatically. The root cert is valid for more than two
 years (AFAIR
 it is 20).





 On Wed Sep 10 15:55:56 2014, Chris Whittle wrote:

 Search the list for a post by me and certs...
 Basically there is a
 install
 flag that will do all the work for you once
you have
 it the cert in the
 right format.
 On Sep 10, 2014 5:53 PM, "William Graboyes"
 mailto:wgrabo...@cenic.org> >>
 wrote:

 * *BEGIN ENCRYPTED or SIGNED PART*
*

 Hello list,

 I have been fruitlessly searching for some
 information, especially
 related to Certs, namely how to replace the
self
 signed certs with
 certs from a trusted CA?  As we are moving
forward into
 productionizing of our free-ipa install, I am
 finding in

Re: [Freeipa-users] Certs.

[Rob Crittenden]

Walid wrote:

Hi Dmitri,

I am interested in the renewal process, how would that happen for
clients, and when would it happen?


It depends on what scenario you're talking about (self-signed IPA cert, 
IPA as subordinate, user-provided certificates), and what certs you mean.


rob



On 11 September 2014 03:01, Dmitri Pal mailto:d...@redhat.com>> wrote:

On 09/10/2014 07:57 PM, William Graboyes wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Dmitri,

Production Environment is going to be RH 6.5,  We are still
evaluating
the usage of systemd. More like we are taking a wait and see
approach
to to systemd, while actively testing it.

The command line options for chaining are there from day one.
So you would need to chain your production environment when you
deploy it.
In future when you migrate to later versions (in couple of years or
so) you will be able to change the chaining using the new tools.
Right now it is a vary hard multi step manual procedure. This is why
we developed the tool.
But you should be all set for now. You would not need to change
anything for several years.

Thanks
Dmitri



Thanks,
Bill

On Wed Sep 10 16:49:24 2014, Dmitri Pal wrote:

On 09/10/2014 07:26 PM, William Graboyes wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Chris,

Thank you for the suggestion. Looking at

http://www.redhat.com/__archives/freeipa-users/2014-__August/msg00334.html



Installing a new, third party cert requires a reinstall
of IPA?  IPA
Devs, that is a bit silly don't you think?  A year or
two in the cert
expires, now you have to start from scratch?  I will
wait for some form
of response before I attempt at eating crow in front of
management.

I forgot to mention, free-ipa version
ipa-server-3.0.0-37.el6.x86___64.

Since 3.0 internal certs are issued for 2 years and are renewed
automatically. The root cert is valid for more than two
years (AFAIR
it is 20).





On Wed Sep 10 15:55:56 2014, Chris Whittle wrote:

Search the list for a post by me and certs...
Basically there is a
install
flag that will do all the work for you once you have
it the cert in the
right format.
On Sep 10, 2014 5:53 PM, "William Graboyes"
mailto:wgrabo...@cenic.org>>
wrote:

* *BEGIN ENCRYPTED or SIGNED PART* *

Hello list,

I have been fruitlessly searching for some
information, especially
related to Certs, namely how to replace the self
signed certs with
certs from a trusted CA?  As we are moving forward into
productionizing of our free-ipa install, I am
finding information on
the net to be a bit lacking.  There is also the
possibility that I am
not looking in the right places, or using the
correct search terms.
Any help on this front would be greatly appreciated.

Thanks,
Bill


** *END ENCRYPTED or SIGNED PART* **

--
Manage your subscription for the Freeipa-users
mailing list:
https://www.redhat.com/__mailman/listinfo/freeipa-users

Go To http://freeipa.org for more info on the
project


-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/


iQIcBAEBCgAGBQJUEN4JAAoJEJFMz7__3A1+zrjNAP/__1aZOjhp6c6JwWXUjBE4Pt4i

u6Z1BRFNYgIc5/__aNsPAKrdzMqQgTjgWJvSh5UCON0Vdm__uIx7pQLP7nIlaCCXTRRK

pKx2Cez5Ho7Lwlsb87WW3bzjcyKGX5__Wd3+__VJdQ6ugYJTpVS4gMxh8atZCV613EY6

FuMk1RS6qlWM2Ut3SjmaAZK3jTw2pU__sJzW3zzB271i6sJqAMZTh7Lrie6QcG__qAON

eLGlWBZuCaeULUuQmArVZiP3qPnH5N__uccvXLFVbX7D1+__SM8XeLWrTklN1bfX2HF0

QCFlizb+bBga/__d5cEaCv7R8v6m46R4wS779K

Re: [Freeipa-users] Certs.

[Walid]

Hi Dmitri,

I am interested in the renewal process, how would that happen for clients,
and when would it happen?

On 11 September 2014 03:01, Dmitri Pal  wrote:

> On 09/10/2014 07:57 PM, William Graboyes wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA512
>>
>> Hi Dmitri,
>>
>> Production Environment is going to be RH 6.5,  We are still evaluating
>> the usage of systemd. More like we are taking a wait and see approach
>> to to systemd, while actively testing it.
>>
> The command line options for chaining are there from day one.
> So you would need to chain your production environment when you deploy it.
> In future when you migrate to later versions (in couple of years or so)
> you will be able to change the chaining using the new tools. Right now it
> is a vary hard multi step manual procedure. This is why we developed the
> tool.
> But you should be all set for now. You would not need to change anything
> for several years.
>
> Thanks
> Dmitri
>
>
>
>  Thanks,
>> Bill
>>
>> On Wed Sep 10 16:49:24 2014, Dmitri Pal wrote:
>>
>>> On 09/10/2014 07:26 PM, William Graboyes wrote:
>>>
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512

 Hi Chris,

 Thank you for the suggestion. Looking at
 http://www.redhat.com/archives/freeipa-users/2014-August/msg00334.html

 Installing a new, third party cert requires a reinstall of IPA?  IPA
 Devs, that is a bit silly don't you think?  A year or two in the cert
 expires, now you have to start from scratch?  I will wait for some form
 of response before I attempt at eating crow in front of management.

 I forgot to mention, free-ipa version ipa-server-3.0.0-37.el6.x86_64.

>>> Since 3.0 internal certs are issued for 2 years and are renewed
>>> automatically. The root cert is valid for more than two years (AFAIR
>>> it is 20).
>>>
>>>
>>>
>>>

 On Wed Sep 10 15:55:56 2014, Chris Whittle wrote:

> Search the list for a post by me and certs...  Basically there is a
> install
> flag that will do all the work for you once you have it the cert in the
> right format.
> On Sep 10, 2014 5:53 PM, "William Graboyes" 
> wrote:
>
> * *BEGIN ENCRYPTED or SIGNED PART* *
>
> Hello list,
>
> I have been fruitlessly searching for some information, especially
> related to Certs, namely how to replace the self signed certs with
> certs from a trusted CA?  As we are moving forward into
> productionizing of our free-ipa install, I am finding information on
> the net to be a bit lacking.  There is also the possibility that I am
> not looking in the right places, or using the correct search terms.
> Any help on this front would be greatly appreciated.
>
> Thanks,
> Bill
>
>
> ** *END ENCRYPTED or SIGNED PART* **
>
>  --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>>
>  -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
 Comment: GPGTools - https://gpgtools.org
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iQIcBAEBCgAGBQJUEN4JAAoJEJFMz73A1+zrjNAP/1aZOjhp6c6JwWXUjBE4Pt4i
 u6Z1BRFNYgIc5/aNsPAKrdzMqQgTjgWJvSh5UCON0VdmuIx7pQLP7nIlaCCXTRRK
 pKx2Cez5Ho7Lwlsb87WW3bzjcyKGX5Wd3+VJdQ6ugYJTpVS4gMxh8atZCV613EY6
 FuMk1RS6qlWM2Ut3SjmaAZK3jTw2pUsJzW3zzB271i6sJqAMZTh7Lrie6QcGqAON
 eLGlWBZuCaeULUuQmArVZiP3qPnH5NuccvXLFVbX7D1+SM8XeLWrTklN1bfX2HF0
 QCFlizb+bBga/d5cEaCv7R8v6m46R4wS779KSUV1jn9PpHISNcmLafv6dTAb6F+5
 RBADwBP6coh5LrOJJh0pIByx9dYRbdif/BSH4VMcvfvFMs/EO1PAsGLWQPwoNfYO
 0SzUV1R47JW9NGzeTxja+byKz9hwGtAT2FIw0NibR+M1FydPD9k3LTjTnQWgeSro
 ks3AUPDy/hj+E72QDORj+/Zvy3sw8wDFVRw2LH/jaDmWbWhZUG4riC3w2egPjcSK
 KIYQ7L/fdeN6S9jt8UcUf1YDHgfLU+iTgqyssr54RufVuM9iBNOkoWxxI0Q9oyMF
 NDKiOY8rs2rBu6x09NiHG0BoX1LQzrrKQFQ4ao48w2RH3ocFCgQbsEHZ18uIfo4Y
 CB5M63nykETHkkR3ZFkd
 =8T1Y
 -END PGP SIGNATURE-


>>>  -BEGIN PGP SIGNATURE-
>> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>> Comment: GPGTools - https://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCgAGBQJUEOV8AAoJEJFMz73A1+zrgwAQAJkx74MPOVvbnrG+dmY8w7ok
>> J/6NWt9Rb/pS9gRrN7iFopni3BoHuLFC6ltwD6KoWllYClwoXke4T0FQ/nU6Ar6M
>> tsuQMYxP0boxhQua2uF/kZ/atMolxoNMShNixXd4dnWtBlpl+R+V58FtfjSGfy49
>> qX2Ge6g6wEFATwKReM1KpKCFIfO/yq/wM4NLvvBd6WShJXh6TQBE44y9aXLLJIlP
>> DApoLnMHaopNZITSNKt1t7dgw6ne9O370nQwOxR5L0peH8bxla0FLJ57vX+RCC0f
>> 3EV/tQHKiXET1RqWE927tfPf171Xcq7sdjLRUL2JTVCK3zPZUuVg9WmuqrLUArhW
>> f1XRpn1MM2e0xn18rvHfuRZr2IIUuPE+RfVcQMgEcgtSYuDNlVYCO/ONyTQHxJ/E
>> JRkN6nDOZ1nlItJlrrT0MVgdMKQLG7IxkvOndGsyOShD/XvvjQYlQbDvRvodnAlc
>> JUIlcC3PbGZh+CRymXzu6M7DYceE5rJ/HzbR1UAPM/dep1P6zA3WyTS15tzIJ93f
>> pjLYTciDvPbTOfRTV+1PQvvVDbHZve34wcjGZH

Re: [Freeipa-users] Certs.

[Rob Crittenden]

Dmitri Pal wrote:
> On 09/10/2014 07:57 PM, William Graboyes wrote:
> Hi Dmitri,
> 
> Production Environment is going to be RH 6.5,  We are still evaluating
> the usage of systemd. More like we are taking a wait and see approach
> to to systemd, while actively testing it.
>> The command line options for chaining are there from day one.
>> So you would need to chain your production environment when you deploy it.
>> In future when you migrate to later versions (in couple of years or so)
>> you will be able to change the chaining using the new tools. Right now
>> it is a vary hard multi step manual procedure. This is why we developed
>> the tool.
>> But you should be all set for now. You would not need to change anything
>> for several years.

I also think we need to understand what you mean by replace the certs.
Do you just want to replace the web and ldap certs, and never need to
use any IPA-issued certificates or at you looking to replace the entire CA?

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Certs.

[Dmitri Pal]

On 09/10/2014 07:26 PM, William Graboyes wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Chris,

Thank you for the suggestion. Looking at
http://www.redhat.com/archives/freeipa-users/2014-August/msg00334.html

Installing a new, third party cert requires a reinstall of IPA?  IPA
Devs, that is a bit silly don't you think?  A year or two in the cert
expires, now you have to start from scratch?  I will wait for some form
of response before I attempt at eating crow in front of management.

I forgot to mention, free-ipa version ipa-server-3.0.0-37.el6.x86_64.


Since 3.0 internal certs are issued for 2 years and are renewed 
automatically. The root cert is valid for more than two years (AFAIR it 
is 20).








On Wed Sep 10 15:55:56 2014, Chris Whittle wrote:

Search the list for a post by me and certs...  Basically there is a install
flag that will do all the work for you once you have it the cert in the
right format.
On Sep 10, 2014 5:53 PM, "William Graboyes"  wrote:

* *BEGIN ENCRYPTED or SIGNED PART* *

Hello list,

I have been fruitlessly searching for some information, especially
related to Certs, namely how to replace the self signed certs with
certs from a trusted CA?  As we are moving forward into
productionizing of our free-ipa install, I am finding information on
the net to be a bit lacking.  There is also the possibility that I am
not looking in the right places, or using the correct search terms.
Any help on this front would be greatly appreciated.

Thanks,
Bill


** *END ENCRYPTED or SIGNED PART* **


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project





-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJUEN4JAAoJEJFMz73A1+zrjNAP/1aZOjhp6c6JwWXUjBE4Pt4i
u6Z1BRFNYgIc5/aNsPAKrdzMqQgTjgWJvSh5UCON0VdmuIx7pQLP7nIlaCCXTRRK
pKx2Cez5Ho7Lwlsb87WW3bzjcyKGX5Wd3+VJdQ6ugYJTpVS4gMxh8atZCV613EY6
FuMk1RS6qlWM2Ut3SjmaAZK3jTw2pUsJzW3zzB271i6sJqAMZTh7Lrie6QcGqAON
eLGlWBZuCaeULUuQmArVZiP3qPnH5NuccvXLFVbX7D1+SM8XeLWrTklN1bfX2HF0
QCFlizb+bBga/d5cEaCv7R8v6m46R4wS779KSUV1jn9PpHISNcmLafv6dTAb6F+5
RBADwBP6coh5LrOJJh0pIByx9dYRbdif/BSH4VMcvfvFMs/EO1PAsGLWQPwoNfYO
0SzUV1R47JW9NGzeTxja+byKz9hwGtAT2FIw0NibR+M1FydPD9k3LTjTnQWgeSro
ks3AUPDy/hj+E72QDORj+/Zvy3sw8wDFVRw2LH/jaDmWbWhZUG4riC3w2egPjcSK
KIYQ7L/fdeN6S9jt8UcUf1YDHgfLU+iTgqyssr54RufVuM9iBNOkoWxxI0Q9oyMF
NDKiOY8rs2rBu6x09NiHG0BoX1LQzrrKQFQ4ao48w2RH3ocFCgQbsEHZ18uIfo4Y
CB5M63nykETHkkR3ZFkd
=8T1Y
-END PGP SIGNATURE-




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Certs.

[Dmitri Pal]

On 09/10/2014 07:57 PM, William Graboyes wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Dmitri,

Production Environment is going to be RH 6.5,  We are still evaluating
the usage of systemd. More like we are taking a wait and see approach
to to systemd, while actively testing it.

The command line options for chaining are there from day one.
So you would need to chain your production environment when you deploy it.
In future when you migrate to later versions (in couple of years or so) 
you will be able to change the chaining using the new tools. Right now 
it is a vary hard multi step manual procedure. This is why we developed 
the tool.
But you should be all set for now. You would not need to change anything 
for several years.


Thanks
Dmitri



Thanks,
Bill

On Wed Sep 10 16:49:24 2014, Dmitri Pal wrote:

On 09/10/2014 07:26 PM, William Graboyes wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Chris,

Thank you for the suggestion. Looking at
http://www.redhat.com/archives/freeipa-users/2014-August/msg00334.html

Installing a new, third party cert requires a reinstall of IPA?  IPA
Devs, that is a bit silly don't you think?  A year or two in the cert
expires, now you have to start from scratch?  I will wait for some form
of response before I attempt at eating crow in front of management.

I forgot to mention, free-ipa version ipa-server-3.0.0-37.el6.x86_64.

Since 3.0 internal certs are issued for 2 years and are renewed
automatically. The root cert is valid for more than two years (AFAIR
it is 20).






On Wed Sep 10 15:55:56 2014, Chris Whittle wrote:

Search the list for a post by me and certs...  Basically there is a
install
flag that will do all the work for you once you have it the cert in the
right format.
On Sep 10, 2014 5:53 PM, "William Graboyes" 
wrote:

* *BEGIN ENCRYPTED or SIGNED PART* *

Hello list,

I have been fruitlessly searching for some information, especially
related to Certs, namely how to replace the self signed certs with
certs from a trusted CA?  As we are moving forward into
productionizing of our free-ipa install, I am finding information on
the net to be a bit lacking.  There is also the possibility that I am
not looking in the right places, or using the correct search terms.
Any help on this front would be greatly appreciated.

Thanks,
Bill


** *END ENCRYPTED or SIGNED PART* **


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project




-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJUEN4JAAoJEJFMz73A1+zrjNAP/1aZOjhp6c6JwWXUjBE4Pt4i
u6Z1BRFNYgIc5/aNsPAKrdzMqQgTjgWJvSh5UCON0VdmuIx7pQLP7nIlaCCXTRRK
pKx2Cez5Ho7Lwlsb87WW3bzjcyKGX5Wd3+VJdQ6ugYJTpVS4gMxh8atZCV613EY6
FuMk1RS6qlWM2Ut3SjmaAZK3jTw2pUsJzW3zzB271i6sJqAMZTh7Lrie6QcGqAON
eLGlWBZuCaeULUuQmArVZiP3qPnH5NuccvXLFVbX7D1+SM8XeLWrTklN1bfX2HF0
QCFlizb+bBga/d5cEaCv7R8v6m46R4wS779KSUV1jn9PpHISNcmLafv6dTAb6F+5
RBADwBP6coh5LrOJJh0pIByx9dYRbdif/BSH4VMcvfvFMs/EO1PAsGLWQPwoNfYO
0SzUV1R47JW9NGzeTxja+byKz9hwGtAT2FIw0NibR+M1FydPD9k3LTjTnQWgeSro
ks3AUPDy/hj+E72QDORj+/Zvy3sw8wDFVRw2LH/jaDmWbWhZUG4riC3w2egPjcSK
KIYQ7L/fdeN6S9jt8UcUf1YDHgfLU+iTgqyssr54RufVuM9iBNOkoWxxI0Q9oyMF
NDKiOY8rs2rBu6x09NiHG0BoX1LQzrrKQFQ4ao48w2RH3ocFCgQbsEHZ18uIfo4Y
CB5M63nykETHkkR3ZFkd
=8T1Y
-END PGP SIGNATURE-




-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJUEOV8AAoJEJFMz73A1+zrgwAQAJkx74MPOVvbnrG+dmY8w7ok
J/6NWt9Rb/pS9gRrN7iFopni3BoHuLFC6ltwD6KoWllYClwoXke4T0FQ/nU6Ar6M
tsuQMYxP0boxhQua2uF/kZ/atMolxoNMShNixXd4dnWtBlpl+R+V58FtfjSGfy49
qX2Ge6g6wEFATwKReM1KpKCFIfO/yq/wM4NLvvBd6WShJXh6TQBE44y9aXLLJIlP
DApoLnMHaopNZITSNKt1t7dgw6ne9O370nQwOxR5L0peH8bxla0FLJ57vX+RCC0f
3EV/tQHKiXET1RqWE927tfPf171Xcq7sdjLRUL2JTVCK3zPZUuVg9WmuqrLUArhW
f1XRpn1MM2e0xn18rvHfuRZr2IIUuPE+RfVcQMgEcgtSYuDNlVYCO/ONyTQHxJ/E
JRkN6nDOZ1nlItJlrrT0MVgdMKQLG7IxkvOndGsyOShD/XvvjQYlQbDvRvodnAlc
JUIlcC3PbGZh+CRymXzu6M7DYceE5rJ/HzbR1UAPM/dep1P6zA3WyTS15tzIJ93f
pjLYTciDvPbTOfRTV+1PQvvVDbHZve34wcjGZHaqV35qUQwXcd/DQK18L8S7EmDx
BeBmii/cX2qBSyzDNGgSjtBTh0AT67tpJQPnH7brsVc9S75+E/MyDqXZjqiJv/9N
i22XgsD/iTzkP3o0OTjs
=FKVl
-END PGP SIGNATURE-




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Certs.

[William Graboyes]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Dmitri,

Production Environment is going to be RH 6.5,  We are still evaluating
the usage of systemd. More like we are taking a wait and see approach
to to systemd, while actively testing it.

Thanks,
Bill

On Wed Sep 10 16:49:24 2014, Dmitri Pal wrote:
> On 09/10/2014 07:26 PM, William Graboyes wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA512
>>
>> Hi Chris,
>>
>> Thank you for the suggestion. Looking at
>> http://www.redhat.com/archives/freeipa-users/2014-August/msg00334.html
>>
>> Installing a new, third party cert requires a reinstall of IPA?  IPA
>> Devs, that is a bit silly don't you think?  A year or two in the cert
>> expires, now you have to start from scratch?  I will wait for some form
>> of response before I attempt at eating crow in front of management.
>>
>> I forgot to mention, free-ipa version ipa-server-3.0.0-37.el6.x86_64.
>
> Since 3.0 internal certs are issued for 2 years and are renewed
> automatically. The root cert is valid for more than two years (AFAIR
> it is 20).
>
>
>
>>
>>
>>
>> On Wed Sep 10 15:55:56 2014, Chris Whittle wrote:
>>> Search the list for a post by me and certs...  Basically there is a
>>> install
>>> flag that will do all the work for you once you have it the cert in the
>>> right format.
>>> On Sep 10, 2014 5:53 PM, "William Graboyes" 
>>> wrote:
>>>
>>> * *BEGIN ENCRYPTED or SIGNED PART* *
>>>
>>> Hello list,
>>>
>>> I have been fruitlessly searching for some information, especially
>>> related to Certs, namely how to replace the self signed certs with
>>> certs from a trusted CA?  As we are moving forward into
>>> productionizing of our free-ipa install, I am finding information on
>>> the net to be a bit lacking.  There is also the possibility that I am
>>> not looking in the right places, or using the correct search terms.
>>> Any help on this front would be greatly appreciated.
>>>
>>> Thanks,
>>> Bill
>>>
>>>
>>> ** *END ENCRYPTED or SIGNED PART* **
>>>
 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go To http://freeipa.org for more info on the project

>>>
>>>
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
>> Comment: GPGTools - https://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCgAGBQJUEN4JAAoJEJFMz73A1+zrjNAP/1aZOjhp6c6JwWXUjBE4Pt4i
>> u6Z1BRFNYgIc5/aNsPAKrdzMqQgTjgWJvSh5UCON0VdmuIx7pQLP7nIlaCCXTRRK
>> pKx2Cez5Ho7Lwlsb87WW3bzjcyKGX5Wd3+VJdQ6ugYJTpVS4gMxh8atZCV613EY6
>> FuMk1RS6qlWM2Ut3SjmaAZK3jTw2pUsJzW3zzB271i6sJqAMZTh7Lrie6QcGqAON
>> eLGlWBZuCaeULUuQmArVZiP3qPnH5NuccvXLFVbX7D1+SM8XeLWrTklN1bfX2HF0
>> QCFlizb+bBga/d5cEaCv7R8v6m46R4wS779KSUV1jn9PpHISNcmLafv6dTAb6F+5
>> RBADwBP6coh5LrOJJh0pIByx9dYRbdif/BSH4VMcvfvFMs/EO1PAsGLWQPwoNfYO
>> 0SzUV1R47JW9NGzeTxja+byKz9hwGtAT2FIw0NibR+M1FydPD9k3LTjTnQWgeSro
>> ks3AUPDy/hj+E72QDORj+/Zvy3sw8wDFVRw2LH/jaDmWbWhZUG4riC3w2egPjcSK
>> KIYQ7L/fdeN6S9jt8UcUf1YDHgfLU+iTgqyssr54RufVuM9iBNOkoWxxI0Q9oyMF
>> NDKiOY8rs2rBu6x09NiHG0BoX1LQzrrKQFQ4ao48w2RH3ocFCgQbsEHZ18uIfo4Y
>> CB5M63nykETHkkR3ZFkd
>> =8T1Y
>> -END PGP SIGNATURE-
>>
>
>
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJUEOV8AAoJEJFMz73A1+zrgwAQAJkx74MPOVvbnrG+dmY8w7ok
J/6NWt9Rb/pS9gRrN7iFopni3BoHuLFC6ltwD6KoWllYClwoXke4T0FQ/nU6Ar6M
tsuQMYxP0boxhQua2uF/kZ/atMolxoNMShNixXd4dnWtBlpl+R+V58FtfjSGfy49
qX2Ge6g6wEFATwKReM1KpKCFIfO/yq/wM4NLvvBd6WShJXh6TQBE44y9aXLLJIlP
DApoLnMHaopNZITSNKt1t7dgw6ne9O370nQwOxR5L0peH8bxla0FLJ57vX+RCC0f
3EV/tQHKiXET1RqWE927tfPf171Xcq7sdjLRUL2JTVCK3zPZUuVg9WmuqrLUArhW
f1XRpn1MM2e0xn18rvHfuRZr2IIUuPE+RfVcQMgEcgtSYuDNlVYCO/ONyTQHxJ/E
JRkN6nDOZ1nlItJlrrT0MVgdMKQLG7IxkvOndGsyOShD/XvvjQYlQbDvRvodnAlc
JUIlcC3PbGZh+CRymXzu6M7DYceE5rJ/HzbR1UAPM/dep1P6zA3WyTS15tzIJ93f
pjLYTciDvPbTOfRTV+1PQvvVDbHZve34wcjGZHaqV35qUQwXcd/DQK18L8S7EmDx
BeBmii/cX2qBSyzDNGgSjtBTh0AT67tpJQPnH7brsVc9S75+E/MyDqXZjqiJv/9N
i22XgsD/iTzkP3o0OTjs
=FKVl
-END PGP SIGNATURE-

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Certs.

[Dmitri Pal]

On 09/10/2014 06:50 PM, William Graboyes wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello list,

I have been fruitlessly searching for some information, especially
related to Certs, namely how to replace the self signed certs with
certs from a trusted CA?
This is an install time decision so when you deploy a new production 
environment you will need to use the ipa-server-install with the related 
arguments to do the chaining.



As we are moving forward into
productionizing of our free-ipa install, I am finding information on
the net to be a bit lacking.  There is also the possibility that I am
not looking in the right places, or using the correct search terms.
Any help on this front would be greatly appreciated.


The ability to replace the cert from being a self signed to a chained is 
a feature that is coming in IPA 4.1
The design page is here: 
http://www.freeipa.org/page/V4/CA_certificate_renewal


What distro are you planning to use? It is considered for the next 
release of RHEL.




Thanks,
Bill
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJUENXDAAoJEJFMz73A1+zr5vQP/1Zt7S+5C+B+dgzI1UJWgxGj
KGh3pvn0zmp3Ge6zCtQ6Is+jQRTZPp4xH8sW1KMdfmBD1l9qcf3GgqH529UHfe5X
DGl8xC1h+yKr8DUm0ckl5fCcs9bpyjXIisCJzBB31ne4wsveeEQN0tVhsYvZ+zH3
98j/uRpnXEnDGOJq1e1h5bkHPTTTDgBSUVD1+oLKg4LxYaacbU4q85BVXBAB73SX
NunN8snqZ0fVVPMAz4ejd5kIhU+RCfIkzVuP+V2/9W/iLs2bte3eV1h/ppweuI7x
CRSEi/UPEC+cG0pF8ImodSN70nG0bjqDf95eg9VnAHXQXlY83dIOm5M9SkeiQEdP
bWmKEE4kejEewBJtkCIR3ldckVAU+x4xLTk3tpSi6rZwdDNBC+E4m9PXhMpT2hFW
3QlxaMDlXjKFEgv9c36NR5sNs4YY7cOLAbaGaFcuiBQcsjXk6A2I/u6C5RQkhFpq
Eqhgz/5Ow+oRAHvE/mhORORHaweCcZbR5oMNeQS8Tanju/1VcDtYy12+1U1QX1vY
1nUaTtAsPflYyJSudrFclLZFw4YaC4d5SoSnN+LDiOcmpz2AIfHlmwc2AMZW/c2G
nHcbSw0JNrfS1bHK6H9AO6q2LORWji8Usf3xTcZba+vC3eD/v0UPmISUW1kVWdKh
Jrc6QM2LipgK5KmpjTKa
=t75e
-END PGP SIGNATURE-




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Certs.

[Chris Whittle]

There is other instructions but I could never get a fully successful setup
until the that one.
On Sep 10, 2014 6:26 PM, "William Graboyes"  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Hi Chris,
>
> Thank you for the suggestion. Looking at
> http://www.redhat.com/archives/freeipa-users/2014-August/msg00334.html
>
> Installing a new, third party cert requires a reinstall of IPA?  IPA
> Devs, that is a bit silly don't you think?  A year or two in the cert
> expires, now you have to start from scratch?  I will wait for some form
> of response before I attempt at eating crow in front of management.
>
> I forgot to mention, free-ipa version ipa-server-3.0.0-37.el6.x86_64.
>
>
>
> On Wed Sep 10 15:55:56 2014, Chris Whittle wrote:
> > Search the list for a post by me and certs...  Basically there is a
> install
> > flag that will do all the work for you once you have it the cert in the
> > right format.
> > On Sep 10, 2014 5:53 PM, "William Graboyes"  wrote:
> >
> >>
> >
> > * *BEGIN ENCRYPTED or SIGNED PART* *
> >
> > Hello list,
> >
> > I have been fruitlessly searching for some information, especially
> > related to Certs, namely how to replace the self signed certs with
> > certs from a trusted CA?  As we are moving forward into
> > productionizing of our free-ipa install, I am finding information on
> > the net to be a bit lacking.  There is also the possibility that I am
> > not looking in the right places, or using the correct search terms.
> > Any help on this front would be greatly appreciated.
> >
> > Thanks,
> > Bill
> >
> >
> > ** *END ENCRYPTED or SIGNED PART* **
> >
> >>
> >> --
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go To http://freeipa.org for more info on the project
> >>
> >
> >
> >
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> Comment: GPGTools - https://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCgAGBQJUEN4JAAoJEJFMz73A1+zrjNAP/1aZOjhp6c6JwWXUjBE4Pt4i
> u6Z1BRFNYgIc5/aNsPAKrdzMqQgTjgWJvSh5UCON0VdmuIx7pQLP7nIlaCCXTRRK
> pKx2Cez5Ho7Lwlsb87WW3bzjcyKGX5Wd3+VJdQ6ugYJTpVS4gMxh8atZCV613EY6
> FuMk1RS6qlWM2Ut3SjmaAZK3jTw2pUsJzW3zzB271i6sJqAMZTh7Lrie6QcGqAON
> eLGlWBZuCaeULUuQmArVZiP3qPnH5NuccvXLFVbX7D1+SM8XeLWrTklN1bfX2HF0
> QCFlizb+bBga/d5cEaCv7R8v6m46R4wS779KSUV1jn9PpHISNcmLafv6dTAb6F+5
> RBADwBP6coh5LrOJJh0pIByx9dYRbdif/BSH4VMcvfvFMs/EO1PAsGLWQPwoNfYO
> 0SzUV1R47JW9NGzeTxja+byKz9hwGtAT2FIw0NibR+M1FydPD9k3LTjTnQWgeSro
> ks3AUPDy/hj+E72QDORj+/Zvy3sw8wDFVRw2LH/jaDmWbWhZUG4riC3w2egPjcSK
> KIYQ7L/fdeN6S9jt8UcUf1YDHgfLU+iTgqyssr54RufVuM9iBNOkoWxxI0Q9oyMF
> NDKiOY8rs2rBu6x09NiHG0BoX1LQzrrKQFQ4ao48w2RH3ocFCgQbsEHZ18uIfo4Y
> CB5M63nykETHkkR3ZFkd
> =8T1Y
> -END PGP SIGNATURE-
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Certs.

[William Graboyes]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi Chris,

Thank you for the suggestion. Looking at
http://www.redhat.com/archives/freeipa-users/2014-August/msg00334.html

Installing a new, third party cert requires a reinstall of IPA?  IPA
Devs, that is a bit silly don't you think?  A year or two in the cert
expires, now you have to start from scratch?  I will wait for some form
of response before I attempt at eating crow in front of management.

I forgot to mention, free-ipa version ipa-server-3.0.0-37.el6.x86_64.



On Wed Sep 10 15:55:56 2014, Chris Whittle wrote:
> Search the list for a post by me and certs...  Basically there is a install
> flag that will do all the work for you once you have it the cert in the
> right format.
> On Sep 10, 2014 5:53 PM, "William Graboyes"  wrote:
>
>>
>
> * *BEGIN ENCRYPTED or SIGNED PART* *
>
> Hello list,
>
> I have been fruitlessly searching for some information, especially
> related to Certs, namely how to replace the self signed certs with
> certs from a trusted CA?  As we are moving forward into
> productionizing of our free-ipa install, I am finding information on
> the net to be a bit lacking.  There is also the possibility that I am
> not looking in the right places, or using the correct search terms.
> Any help on this front would be greatly appreciated.
>
> Thanks,
> Bill
>
>
> ** *END ENCRYPTED or SIGNED PART* **
>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>
>
>
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJUEN4JAAoJEJFMz73A1+zrjNAP/1aZOjhp6c6JwWXUjBE4Pt4i
u6Z1BRFNYgIc5/aNsPAKrdzMqQgTjgWJvSh5UCON0VdmuIx7pQLP7nIlaCCXTRRK
pKx2Cez5Ho7Lwlsb87WW3bzjcyKGX5Wd3+VJdQ6ugYJTpVS4gMxh8atZCV613EY6
FuMk1RS6qlWM2Ut3SjmaAZK3jTw2pUsJzW3zzB271i6sJqAMZTh7Lrie6QcGqAON
eLGlWBZuCaeULUuQmArVZiP3qPnH5NuccvXLFVbX7D1+SM8XeLWrTklN1bfX2HF0
QCFlizb+bBga/d5cEaCv7R8v6m46R4wS779KSUV1jn9PpHISNcmLafv6dTAb6F+5
RBADwBP6coh5LrOJJh0pIByx9dYRbdif/BSH4VMcvfvFMs/EO1PAsGLWQPwoNfYO
0SzUV1R47JW9NGzeTxja+byKz9hwGtAT2FIw0NibR+M1FydPD9k3LTjTnQWgeSro
ks3AUPDy/hj+E72QDORj+/Zvy3sw8wDFVRw2LH/jaDmWbWhZUG4riC3w2egPjcSK
KIYQ7L/fdeN6S9jt8UcUf1YDHgfLU+iTgqyssr54RufVuM9iBNOkoWxxI0Q9oyMF
NDKiOY8rs2rBu6x09NiHG0BoX1LQzrrKQFQ4ao48w2RH3ocFCgQbsEHZ18uIfo4Y
CB5M63nykETHkkR3ZFkd
=8T1Y
-END PGP SIGNATURE-

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Certs.

[Chris Whittle]

Search the list for a post by me and certs...  Basically there is a install
flag that will do all the work for you once you have it the cert in the
right format.
On Sep 10, 2014 5:53 PM, "William Graboyes"  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Hello list,
>
> I have been fruitlessly searching for some information, especially
> related to Certs, namely how to replace the self signed certs with
> certs from a trusted CA?  As we are moving forward into
> productionizing of our free-ipa install, I am finding information on
> the net to be a bit lacking.  There is also the possibility that I am
> not looking in the right places, or using the correct search terms.
> Any help on this front would be greatly appreciated.
>
> Thanks,
> Bill
> -BEGIN PGP SIGNATURE-
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> Comment: GPGTools - https://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCgAGBQJUENXDAAoJEJFMz73A1+zr5vQP/1Zt7S+5C+B+dgzI1UJWgxGj
> KGh3pvn0zmp3Ge6zCtQ6Is+jQRTZPp4xH8sW1KMdfmBD1l9qcf3GgqH529UHfe5X
> DGl8xC1h+yKr8DUm0ckl5fCcs9bpyjXIisCJzBB31ne4wsveeEQN0tVhsYvZ+zH3
> 98j/uRpnXEnDGOJq1e1h5bkHPTTTDgBSUVD1+oLKg4LxYaacbU4q85BVXBAB73SX
> NunN8snqZ0fVVPMAz4ejd5kIhU+RCfIkzVuP+V2/9W/iLs2bte3eV1h/ppweuI7x
> CRSEi/UPEC+cG0pF8ImodSN70nG0bjqDf95eg9VnAHXQXlY83dIOm5M9SkeiQEdP
> bWmKEE4kejEewBJtkCIR3ldckVAU+x4xLTk3tpSi6rZwdDNBC+E4m9PXhMpT2hFW
> 3QlxaMDlXjKFEgv9c36NR5sNs4YY7cOLAbaGaFcuiBQcsjXk6A2I/u6C5RQkhFpq
> Eqhgz/5Ow+oRAHvE/mhORORHaweCcZbR5oMNeQS8Tanju/1VcDtYy12+1U1QX1vY
> 1nUaTtAsPflYyJSudrFclLZFw4YaC4d5SoSnN+LDiOcmpz2AIfHlmwc2AMZW/c2G
> nHcbSw0JNrfS1bHK6H9AO6q2LORWji8Usf3xTcZba+vC3eD/v0UPmISUW1kVWdKh
> Jrc6QM2LipgK5KmpjTKa
> =t75e
> -END PGP SIGNATURE-
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

[Freeipa-users] Certs.

[William Graboyes]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello list,

I have been fruitlessly searching for some information, especially
related to Certs, namely how to replace the self signed certs with
certs from a trusted CA?  As we are moving forward into
productionizing of our free-ipa install, I am finding information on
the net to be a bit lacking.  There is also the possibility that I am
not looking in the right places, or using the correct search terms.
Any help on this front would be greatly appreciated.

Thanks,
Bill
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJUENXDAAoJEJFMz73A1+zr5vQP/1Zt7S+5C+B+dgzI1UJWgxGj
KGh3pvn0zmp3Ge6zCtQ6Is+jQRTZPp4xH8sW1KMdfmBD1l9qcf3GgqH529UHfe5X
DGl8xC1h+yKr8DUm0ckl5fCcs9bpyjXIisCJzBB31ne4wsveeEQN0tVhsYvZ+zH3
98j/uRpnXEnDGOJq1e1h5bkHPTTTDgBSUVD1+oLKg4LxYaacbU4q85BVXBAB73SX
NunN8snqZ0fVVPMAz4ejd5kIhU+RCfIkzVuP+V2/9W/iLs2bte3eV1h/ppweuI7x
CRSEi/UPEC+cG0pF8ImodSN70nG0bjqDf95eg9VnAHXQXlY83dIOm5M9SkeiQEdP
bWmKEE4kejEewBJtkCIR3ldckVAU+x4xLTk3tpSi6rZwdDNBC+E4m9PXhMpT2hFW
3QlxaMDlXjKFEgv9c36NR5sNs4YY7cOLAbaGaFcuiBQcsjXk6A2I/u6C5RQkhFpq
Eqhgz/5Ow+oRAHvE/mhORORHaweCcZbR5oMNeQS8Tanju/1VcDtYy12+1U1QX1vY
1nUaTtAsPflYyJSudrFclLZFw4YaC4d5SoSnN+LDiOcmpz2AIfHlmwc2AMZW/c2G
nHcbSw0JNrfS1bHK6H9AO6q2LORWji8Usf3xTcZba+vC3eD/v0UPmISUW1kVWdKh
Jrc6QM2LipgK5KmpjTKa
=t75e
-END PGP SIGNATURE-

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project